HQ/EMEAFind out how we can help your business
The Earth Zhulong APT group has launched cybercriminal operations against Vietnamese organisations. The group has been active for over a couple of years, and researchers claimed it has connections with a Chinese-speaking threat group, 1937CN.
Based on reports, the group has evolving tactics, techniques, procedures (TTPs) and attack tools. This advanced persistent threat group has been targeting different sectors in Vietnam, such as telecommunications, information technology (IT), and media, for more than two years.
In addition, the group has an evolving toolset and enhancement to their shellcode loader called ShellFang. This loader includes several obfuscation techniques to hide its tracks.
Researchers indicated that the group have also acquired a Go language-based backdoor called MACAMAX, the EarthWorm network penetration tool, and an infostealer that could harvest internal data.
The Earth Zhulong has constantly been upgrading ShellFang since 2017.
According to investigations, the ShellFang loader from Earth Zhulong has undergone several updates and included three significant versions from 2017 to 2022.
The first major variant came in 2020, and it could read and decrypt the payload and executes it in memory. The second variant came a year later. This second variant of ShellFang uses the RC4 decryption function instead of XOR, but the remaining code structure stays unchanged.
The last ShellFang variant appeared the previous year, with an additional anti-analysis feature that includes execution flow obfuscation via API hashing and exception mechanism.
The Earth Zhulong APT group has been utilising malicious documents that contain malicious macros for their initial access. This technique has never changed for the group since 2020.
Subsequently, the macro injects a shell code into an operational process upon execution. The shell code then establishes a connection with the APT groups’ server.
Cybersecurity experts explained that Earth Zhulong is a threat group that focuses on targeting Vietnam. Additionally, these experts believe that the group could soon leverage its evolving TTPs to target additional countries in SEA and other regions.
Organisations should avoid these operations and employ anti-malware services and firewalls to mitigate such threats.
