Facebook Twitter Instagram
    • Privacy Policy
    • Contact Us
    Facebook Twitter Instagram Pinterest Vimeo
    AI Home SecurityAI Home Security
    • Home
    • Home Security
    • Cyber Security
    • Biometric Technology
    Contact
    AI Home SecurityAI Home Security
    Cyber Security

    Chinese Hacker Group Earth Longzhi Resurfaces with Advanced Malware Tactics

    justmattgBy justmattgMay 4, 2023No Comments4 Mins Read

    [ad_1]

    May 03, 2023Ravie LakshmananCyber Espionage / Malware

    Chinese Hacker Group

    A Chinese state-sponsored hacking outfit has resurfaced with a new campaign targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji after more than six months of no activity.

    Trend Micro attributed the intrusion set to a cyber espionage group it tracks under the name Earth Longzhi, which is a subgroup within APT41 (aka HOODOO or Winnti) and shares overlaps with various other clusters known as Earth Baku, SparklingGoblin, and GroupCC.

    Earth Longzhi was first documented by the cybersecurity firm in November 2022, detailing its attacks against various organizations located in East and Southeast Asia as well as Ukraine.

    Attack chains mounted by the threat actor leverage vulnerable public-facing applications as entry points to deploy the BEHINDER web shell, and then leverage that access to drop additional payloads, including a new variant of a Cobalt Strike loader called CroxLoader.

    Cybersecurity

    “This recent campaign […] abuses a Windows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard.sys, to disable security products installed on the hosts via a bring your own vulnerable driver (BYOVD) attack,” Trend Micro said.

    It’s by no means the first time Earth Longzhi has leveraged the BYOVD technique, what with previous campaigns utilizing the vulnerable RTCore64.sys driver to restrict the execution of security products.

    The malware, dubbed SPHijacker, also employs a second method referred to as “stack rumbling” to achieve the same objective, which entails making Windows Registry changes to interrupt the process execution flow and deliberately cause the targeted applications to crash upon launch.

    “This technique is a type of [denial-of-service] attack that abuses undocumented MinimumStackCommitInBytes values in the [Image File Execution Options] registry key,” Trend Micro explained.

    Chinese Hacker Group

    “The value of MinimumStackCommitInBytes associated with a specific process in the IFEO registry key will be used to define the minimum size of stack to commit in initializing the main thread. If the stack size is too large, it will trigger a stack overflow exception and terminate the current process.”

    The twin approaches are far from the only methods that can be used to impair security products. Deep Instinct, last month, detailed a new code injection technique christened Dirty Vanity that exploits the remote forking mechanism in Windows to blindside endpoint detection systems.

    What’s more, the driver payload is installed as a kernel-level service using Microsoft Remote Procedure Call (RPC) as opposed to Windows APIs to evade detection.

    UPCOMING WEBINAR

    Learn to Stop Ransomware with Real-Time Protection

    Join our webinar and learn how to stop ransomware attacks in their tracks with real-time MFA and service account protection.

    Save My Seat!

    Also observed in the attacks is the use of a DLL-based dropper named Roxwrapper to deliver another Cobalt Strike loader labeled BigpipeLoader as well as a privilege escalation tool (dwm.exe) that abuses the Windows Task Scheduler to launch a given payload with SYSTEM privileges.

    The specified payload, dllhost.exe, is a downloader that’s capable of retrieving next-stage malware from an actor-controlled server.

    It’s worth pointing out here that dwm.exe is based on an open source proof-of-concept (PoC) available on GitHub, suggesting that the threat actor is drawing inspiration from existing programs to hone its malware arsenal.

    Trend Micro further said it identified decoy documents written in Vietnamese and Indonesian, indicating potential attempts to target users in the two countries in the future.

    “Earth Longzhi remains active and continues to improve its tactics, techniques, and procedures (TTPs),” security researchers Ted Lee and Hara Hiroaki noted. “Organizations should stay vigilant against the continuous development of new stealthy schemes by cybercriminals.”

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.



    [ad_2]

    Source link

    Previous ArticleGoogle Introduces Passwordless Secure Sign-In with Passkeys for Google Accounts
    Next Article Researchers Discover 3 Vulnerabilities in Microsoft Azure API Management Service
    justmattg
    • Website

    Related Posts

    Cyber Security

    Name That Toon: Last Line of Defense

    April 16, 2024
    Cyber Security

    OpenJS Foundation Targeted in Potential JavaScript Project Takeover Attempt

    April 16, 2024
    Cyber Security

    Middle East Cyber Ops Intensify, With Israel the Main Target

    April 16, 2024
    Add A Comment

    Leave A Reply Cancel Reply

    Facebook Twitter Instagram Pinterest
    • Privacy Policy
    • Contact Us
    AI Home Security © 2025 All rights reserved | Designed By ESmartsSolution

    Type above and press Enter to search. Press Esc to cancel.

    ↑