Earth Longzhi APT Targets Asian Countries Using Custom Cobalt Strike Loaders

Attack campaign details

• The first campaign targeted the government, infrastructure, academic, and healthcare sectors in Taiwan and the banking sector in China.
• While the second campaign was aimed at high-profile victims in the defense, aviation, insurance, and urban development industries in China, Taiwan, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.

Attack vector

• Threat actors used malware-embedded malicious archive files or malicious links to redirect victims to the malicious archive files hosted on Google Drive.
• In some cases, it exploited publicly available applications to deliver malware and other necessary hack tools for the routine.

TTPs for the first campaign

• Earth Longzhi used a custom Cobalt Strike loader called Symatic loader with detection evasion techniques, along with custom hacking tools.
• The group utilized an all-in-one tool that combined all the required publicly available and custom tools in one package.
• This compressed tool enabled it to complete multiple tasks by using a single executable in its post-exploitation operations.

Second campaign TTPs

• During the second campaign, it used various types of customized Cobalt Strike loaders namely CroxLoader, BigpipeLoader, OutLoader, and other hacking tools.
• The tools were used for privilege escalation (PrintNightmare and PrintSpoofer), credential dumping (modified Mimikatz), and defense evasion (ProcBurner and AVBurner).

Connections with APT41

• Earth Longzhi's victimology and TTPs were found similar to an APT41 subgroup, Earth Baku.
• The decryption algorithms in Symatic Loader and CroxLoader are quite similar to the ones leveraged by GroupCC, another subgroup of AP41.

Conclusion