top of page
Search

New Chinese Hacking Campaign Resurfaces Targeting East and Southeast Asia



A Chinese state-sponsored hacking outfit has resurfaced after more than six months of inactivity, this time targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji. Trend Micro attributed the intrusion set to a cyber espionage group it tracks under the name Earth Longzhi, which is a subgroup within APT41 (aka HOODOO or Winnti) and shares overlaps with various other clusters known as Earth Baku, SparklingGoblin, and GroupCC. Earth Longzhi was first documented by the cybersecurity firm in November 2022, detailing its attacks against various organizations located in East and Southeast Asia as well as Ukraine. Attack chains mounted by the threat actor leverage vulnerable public-facing applications as entry points to deploy the BEHINDER web shell, and then leverage that access to drop additional payloads, including a new variant of a Cobalt Strike loader called CroxLoader. "This recent campaign [...] abuses a Windows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard.sys, to disable security products installed on the hosts via a bring your own vulnerable driver (BYOVD) attack," Trend Micro said. It's by no means the first time Earth Longzhi has leveraged the BYOVD technique, what with previous campaigns utilizing the vulnerable RTCore64.sys driver to restrict the execution of security products. Earth Longzhi, a Chinese state-sponsored hacking outfit, has resurfaced after more than six months of inactivity. This time, the group is targeting government, healthcare, technology, and manufacturing entities based in Taiwan, Thailand, the Philippines, and Fiji. Trend Micro, a cybersecurity firm, attributed the intrusion set to a cyber espionage group it tracks under the name Earth Longzhi. Earth Longzhi is a subgroup within APT41 (aka HOODOO or Winnti) and shares overlaps with various other clusters known as Earth Baku, SparklingGoblin, and GroupCC. This is not the first time that Earth Longzhi has been active; the group was first documented by Trend Micro in November 2022. At that time, the firm detailed the group's attacks against various organizations located in East and Southeast Asia as well as Ukraine. Attack chains mounted by the threat actor leverage vulnerable public-facing applications as entry points to deploy the BEHINDER web shell, and then leverage that access to drop additional payloads, including a new variant of a Cobalt Strike loader called CroxLoader. "This recent campaign [...] abuses a Windows Defender executable to perform DLL sideloading while also exploiting a vulnerable driver, zamguard.sys, to disable security products installed on the hosts via a bring your own vulnerable driver (BYOVD) attack," Trend Micro said. It's by no means the first time Earth Longzhi has leveraged the BYOVD technique, what with previous campaigns utilizing the vulnerable RTCore64.sys driver to restrict the execution of security products. The BYOVD technique is a serious threat to security products, as it allows hackers to disable them. This makes it difficult for organizations to defend themselves against attacks. Trend Micro recommends that organizations keep their security products up to date and monitor their systems for suspicious activity.

Commenti


bottom of page