Entities positioned in East and Southeast Asia in addition to Ukraine have been focused at the very least since 2020 by a beforehand undocumented subgroup of APT41, a prolific Chinese superior persistent risk (APT).
Cybersecurity agency Trend Micro, which christened the espionage crew Earth Longzhi, mentioned the actor’s long-running marketing campaign will be break up into two primarily based on the toolset deployed to assault its victims.
The first wave from May 2020 to February 2021 is claimed to have focused authorities, infrastructure, and healthcare industries in Taiwan and the banking sector in China, whereas the succeeding set of intrusions from August 2021 to June 2022 infiltrated high-profile victims in Ukraine and a number of other nations in Asia.
This included protection, aviation, insurance coverage, and concrete improvement industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.
The victimology patterns and the focused sectors overlap with assaults mounted by a definite sister group of APT41 (aka Winnti) generally known as Earth Baku, the Japanese cybersecurity firm added.
Some of Earth Baku’s malicious cyber actions have been tied to teams known as by different cybersecurity corporations ESET and Symantec underneath the names SparklingGoblin and Grayfly, respectively.
“SparklingGoblin’s Tactics, Techniques and Procedures (TTPs) partially overlap with APT41 TTPs,” ESET researcher Mathieu Tartare beforehand informed The Hacker News. “Grayfly’s definition given by Symantec appears to (at the very least partially) overlap with SparklingGoblin.”
Now Earth Longzhi provides to a different piece within the APT41 assault puzzle, what with the actor additionally sharing hyperlinks to a 3rd subgroup dubbed GroupCC (aka APT17, Aurora Panda, or Bronze Keystone).
Attacks orchestrated by the hacker group leverage spear-phishing emails because the preliminary entry vector. These messages are identified to embed password-protected archives or hyperlinks to recordsdata hosted on Google Drive that, when opened, launches a Cobalt Strike loader dubbed CroxLoader.
In some instances, the group has been noticed weaponizing distant code execution flaws in publicly uncovered purposes to ship an online shell able to dropping a next-stage loader known as Symatic that is engineered to deploy Cobalt Strike.
Also put to make use of as a part of its post-exploitation actions is an “multi function software,” which mixes a number of publicly out there and customized capabilities in a single bundle and is believed to have been out there since September 2014.
The second collection of assaults initiated by Earth Longzhi observe an identical sample, the primary distinction being using completely different Cobalt Strike loaders named CroxLoader, BigpipeLoader, and OutLoader to drop the pink staff framework on contaminated hosts.
The current assaults additional stand out for using bespoke instruments that may disable safety software program, dump credentials utilizing a modified model of Mimikatz, and leverage flaws within the Windows Print Spooler part (i.e., PrintNightmare) to escalate privileges.
What’s extra, incapacitating the put in safety options is pulled off by a way known as convey your personal weak driver (BYOVD), which entails the exploitation of a identified flaw within the RTCore64.sys driver (CVE-2019-16098).
This is carried out utilizing ProcBurner, a software for killing particular operating processes, whereas one other customized malware known as AVBurner is used to unregister the endpoint detection and response (EDR) system by eradicating course of creation callbacks – a mechanism that was detailed by a safety researcher who goes by the alias brsn in August 2020.
It’s price noting the outdated model of the RTCore64.sys driver, which nonetheless has a legitimate digital signature, has been put to make use of by a number of risk actors like BlackByte and OldGremlin over the previous few months.
“[Earth Longzhi’s] goal sectors are in industries pertinent to Asia-Pacific nations’ nationwide safety and economies,” the researchers mentioned. “The actions in these campaigns present that the group is educated on pink staff operations.”
“The group makes use of social engineering methods to unfold its malware and deploy custom-made hack instruments to bypass the safety of safety merchandise and steal delicate information from compromised machines.”