APT41 Subgroup Plows Through Asia-Pacific, Utilizing Layered Stealth Tactics
Cyber Security Threat Summary:
APT41 is a well-known Chinese cyber threat that is made up of various subgroups. The group has previously used a variety of tactics over the years to carry out espionage attacks against government agencies, businesses, and individuals. The group's attacks against the US government have led to indictments of its members by US law enforcement. On May 2, Trend Micro researchers reported that Earth Longzhi, a suspected subgroup of APT41, has launched a new campaign after almost a year of inactivity with more advanced stealth tactics to carry out espionage campaigns against the same types of targets.
"Rather than tried-and-true phishing emails, Earth Longzhi has tended to target public-facing Internet Information Services (IIS) and Microsoft Exchange servers as inroads to install the popular Behinder Web shell. Using Behinder, it can gather information and download further malware onto host systems. Further, the group has utilized dynamic link library (DLL) sideloading, disguising malware as a legitimate DLL — MpClient.dll — to trick the legitimate Windows Defender binaries MpDlpCmd[.]exe and MpCmdRun[.]exe into loading it. Earth Longzhi primarily delivers two types of malware, according to Trend Micro: Croxloader, a loader for Cobalt Strike, and a new anti-detection tool called SPHijacker[.]SPHijacker is specially designed to disable security products in their tracks, either by utilizing a vulnerable driver — zamguard.sys — or by abusing the undocumented "MinimumStackCommitInBytes" values in the IFEO registry key to perform a kind of denial of service" (DarkReading, 2023).
According to James Lively, an endpoint security research specialist at Tanium, the methods used by Earth Longzhi are not particularly advanced. However, he notes that the group's ability to use these methods effectively and accurately requires a high level of knowledge, understanding, and skill.
Security Officer Comments:
During their latest campaign, Earth Longzhi targeted organizations in various industries including government, health care, technology, and manufacturing across the Philippines, Thailand, Taiwan, and Fiji, which was a new target for the group. However researchers discovered that the group created decoy documents in Vietnamese and Indonesian, which suggests that they may be planning to target users in those countries in their next wave of attacks. Given Earth Longzhi's history of targeting vulnerable, internet-exposed servers, organizations in the Asia-Pacific region need to ensure that all their public-facing systems are fully patched and updated to avoid becoming the group's next victim.
Suggested Corrections:
Trend Micro has published IOC’s that can be used to detect the Earth Longzhi subgroup:
https://www.trendmicro.com/en_us/re...ns-earth-longzhi-returns-with-new-tricks.html
Link:
https://www.darkreading.com/vulnera...sia-pacific-utilizing-layered-stealth-tactics