Earth Longzhi, a China-based APT group known for targeting organizations in East Asia and Southeast Asia, is back in action after inactivity for several months. In the ongoing campaign, it is targeting Windows Defender installed in the target environment, abusing it via the BYOVD attack tactic or a new attack tactic dubbed ‘stack rumbling.’
Who are the targets?
According to Trend Micro, Earth Longzhi’s campaign is targeting organizations in the healthcare, manufacturing, technology, and government sectors.
In addition to its previous targets, which include the Philippines, Thailand, and Taiwan, the group has started targeting Fiji-based organizations for the first time.
Several decoy documents were found written in Indonesian and Vietnamese languages, indicating that these could be the next targets of the group.
Modu Operandi
Instead of targeting its victims with usual phishing emails, Earth Longzhi is aiming at IIS and Microsoft Exchange servers exposed to the internet to get access to the networks to install the Behinder web shell.
The attackers are using the DLL sideloading technique, masquerading the malware as a genuine file MpClient.dll.
It uses legitimate Windows Defender binaries (MpDlpCmd.exe and MpCmdRun.exe) to load the malware.
Post-infection payloads
By using the above tactic, it installs two different types of malicious tools: Croxloader and SPHijacker.
Croxloader, disguised as MpClient.dll, reads and decrypts the final payload, identified as a Cobalt Strike beacon.
SPHijacker is a new anti-detection tool, designed to terminate operating security products. It uses two different methods to disable the security products.
It either uses a new DoS tactic, dubbed stack rumbling, via Image File Execution Options (IFEO).
Alternatively, it exploits the vulnerable driver (zamguard64.sys) via the BYOVD attack technique to disable Windows Defender.
Concluding notes
Earth Longzhi group is ferociously expanding the scope of its attack to new regions. Moreover, to reduce the risk of exposure, it is using new tools and tactics, such as the SPHijacker. Probably it has utilized its several months of inactive duration for calking out its expansion strategy. Protection against such threats demands a proactive defense strategy with continuous review and development of the security posture.