A subgroup of the Chinese state-sponsored hacking group APT41, known as Earth Longzhi, has been found to be using a new technique to disable security software, cybersecurity firm Trend Micro has reported. The group has been targeting organizations in the Philippines, Taiwan, and Thailand, and was observed using DLL sideloading via Windows Defender binaries and employing a bring-your-own-vulnerable-driver (BYOVD) attack, and a technique called ‘stack rumbling’ that involves Image File Execution Options (IFEO).
The group typically deploys the Behinder web shell, which provides backdoor capabilities, remote code execution, and a Socks5 proxy after exploiting vulnerable public-facing applications and Internet Information Services (IIS) and Microsoft Exchange servers.
Earth Longzhi was also observed abusing legitimate Windows Defender executables to sideload DLLs and execute malware such as Croxloader (a customized Cobalt Strike loader) and SPHijacker (a tool for disabling security products).
SPHijacker leverages a vulnerable Zemana driver to terminate security applications and then leverages stack rumbling to prevent the software from running by causing it to crash upon launch. This method, which causes a permanent DoS condition, targets roughly 30 antivirus-related processes.
Trend Micro discovered additional malicious tools linked to Earth Longzhi, such as the Roxwrapper loader and a new tool for privilege escalation.
The observed attacks focused on government, healthcare, manufacturing, and technology organizations in Fiji, the Philippines, Taiwan, and Thailand. This is the first time the Chinese threat actor has targeted entities in Fiji, Trend Micro says.
Trend Micro also discovered various decoy documents in Vietnamese and Indonesian, which were likely meant to be distributed via phishing emails to victims in Vietnam and Indonesia. The cybersecurity firm concludes that the group shows an inclination for using open-source projects to implement their own tools and spruces up its toolset during periods of inactivity.
