HQ/EMEAFind out how we can help your business
After laying low for several months, the Chinese advanced persistent threat group, Earth Longzhi, has reemerged in the cybercriminal landscape. This new campaign has been targeting Windows Defender within the targeted environment by leveraging the BYOVD attack tactic and a new strategy called stack rumbling.
Researchers confirmed that the Chinese threat group’s primary targets are manufacturing, government, technology, and healthcare organisations. Fiji is now the newest addition to Earth Longzhi’s latest target, joining the Philippines, Taiwan, and Thailand.
Numerous attack samples showed decoy documents written in Vietnamese and Indonesian, indicating that these could be the following targeted countries of the APT group.
The Earth Longzhi operation targets internet-exposed servers to acquire initial access.
According to investigations, the Earth Longzhi group prioritises targeting internet-exposed IIS and MS Exchange servers to acquire access instead of targeting its victims with standard phishing emails. This tactic allows the group to install the Behinder webshell on their targeted systems.
In addition, the attackers use the DLL sideloading tactic to obfuscate the malware by presenting it as a legitimate DLL. Furthermore, the group uses authentic Windows Defenders binaries to load the malware.
Earth Longzhi could also install some malicious tools called SPHijacker and Croxloader through the earlier-mentioned attack tactic. The SPHijacker is a new anti-detection tool that could terminate running security products. The device utilises two different strategies to deactivate the security product. This detail means using a new DoS method or exploiting vulnerable drivers through the BYOVD attack strategy to disable Windows Defender.
On the other hand, the Croxloader disguised as the malicious dll could read and decrypt the attackers’ final payload, which is the Cobalt Strike beacon.
The Earth Longzhi group has been expanding its threat landscape to other regions of Asia. Additionally, the group has used new tools and tactics to reduce the risk of exposure and avoid threat analysis.
Some researchers believed that Earth Longzhi’s hiatus enabled them to generate an effective expansion strategy that would allow them to target more countries. Experts explain that protection against these attacks should have defensive systems that have continuous review and development.
