Earth Longzhi’s Cyber Attack: New Techniques Target Asia-Pacific Organizations

Earth Longzhi
Infection routine used by Earth Longzhi | Image: Trend Micro

Researchers from Trend Micro have uncovered a new campaign by Earth Longzhi, a subgroup of APT41, which targets organizations in Taiwan, Thailand, the Philippines, and Fiji. The campaign, following months of inactivity, exploits Windows Defender executables and a vulnerable driver to disable security products through a bring-your-own-vulnerable-driver (BYOVD) attack, introducing a new technique called “stack rumbling” via Image File Execution Options (IFEO) for denial-of-service (DoS).

Infection routine used by Earth Longzhi | Image: Trend Micro

The campaign also stealthily installs drivers as kernel-level services using Microsoft Remote Procedure Call (RPC) rather than general Windows APIs, evading API monitoring. Earth Longzhi’s new campaign samples show a preference for exploiting public-facing applications, IIS servers, and Microsoft Exchange servers to install the powerful Behinder web shell, instead of sending document-based malware via email. The web shell allows malicious actors to uncover intranet information and deploy further malware on compromised machines.

In this new campaign, malware is launched through legitimate Windows Defender binaries and disguised as a legitimate DLL. Two types of malware are launched through this technique: a new variant of Croxloader and a tool dubbed “SPHijacker” that disables security products. The new Croxloader variant is launched as a system service and uses a different decryption algorithm, while the final payload is identified as a Cobalt Strike beacon.

SPHijacker, designed to disable security products, employs two approaches: terminating the security product process using a vulnerable driver and disabling process launching using the new “stack rumbling” technique. This is the first time this technique has been seen in the wild.

During threat hunting, researchers discovered related samples and a new component, dwm.exe, which is a new privilege escalation tool abusing Task Scheduler. Decoy documents written in Vietnamese and Indonesian suggest Earth Longzhi may target users in these countries next.

The new tool, dwm.exe, is used for privilege escalation and is based on an open-source proof of concept on GitHub. It replaces the image path name and command-line information for defense evasion and uses the COM object to bypass the Windows UAC mechanism, registering the payload as a scheduled task with the highest privilege.

Earth Longzhi’s new campaign targets organizations in government, healthcare, technology, and manufacturing sectors in the Philippines, Thailand, Taiwan, and Fiji. Based on the embedded documents in the samples, Vietnam and Indonesia could be the group’s next target countries. This campaign highlights Earth Longzhi’s continued activity and improvements in its tactics, techniques, and procedures (TTPs).