Earth Longzhi is a newly identified APT41 sub-group that conducted two campaigns (2020–2022) across Asia-Pacific with custom Cobalt Strike loaders and multiple loaders/tools to target government, infrastructure, healthcare, and defense sectors. The campaigns blended spearphishing, loader diversity, and tool reuse with some attempts to evade security products. #EarthLongzhi #CroxLoader #SymaticLoader #BigpipeLoader #OutLoader #APT41 #GroupCC #EarthBaku #CobaltStrike #RTCore64
Keypoints
- Earth Longzhi is identified as a new Earth Longzhi subgroup within APT41, active from 2020 to 2022 with campaigns in Taiwan, China, and other Asia-Pacific regions.
- Two campaigns drive the activity: 2020–2021 focused on Taiwan (government, healthcare, infrastructure) with Symatic loader; 2021–2022 expanded to Taiwan, China, and several other countries with CroxLoader, BigpipeLoader, OutLoader, and other tools.
- Attack vector centers on spear-phishing emails, often delivering via password-protected archives or links hosted on Google Drive.
- Symatic loader employs in-memory defense evasion (anti-hooking), process injection, and parent-process masquerading to load Cobalt Strike payloads.
- Earth Longzhi develops all-in-one hacking tool packages and multiple customized Cobalt Strike loaders (CroxLoader, BigpipeLoader, OutLoader, MultiPipeLoader) with distinct decryption/loader techniques.
- Post-exploitation tools include reimplemented Mimikatz modules (Bring-Your-Own Mimikatz) and kernel-level tools (ProcBurner, AVBurner) that leverage RTCore64.sys to disable security measures.
- Attribution links Earth Longzhi to APT41 through shared Cobalt Strike metadata (watermark 426352781 and public key 9ee3e0425ade426af0cb07094aa29ebc) and overlaps with GroupCC and Earth Baku.
MITRE Techniques
- [T1566.002] Spearphishing Link – “Both campaigns used spear-phishing emails as the primary entry vector to deliver Earth Longhzhi’s malware. The attacker embeds the malware in a password-protected archive or shares a link to download a malware, luring the victim with information about a person. Upon opening the link, the victim is redirected to a Google Drive hosting a password-protected archive with a Cobalt Strike loader we call CroxLoader.”
- [T1203] Exploitation for Client Execution – “In some cases, we also found that the group exploited publicly available applications to deploy and execute a simple downloader to download a shellcode loader and the necessary hack tools for the routine.”
- [T1055] Process Injection – “After restoring the ntdll, Symatic will spawn a new process for process injection. It is worth noting that it will masquerade the parent process of the newly created process to obfuscate the process chain.”
- [T1036] Masquerading – “Masquerading the parent process by API UpdateProcThreadAttribute”
- [T1027] Obfuscated/Compressed Files and Information – “The decryption algorithms include XOR 0xCC + SUB 0xA and RtlDecompressBuffer + XOR 0xCC”
- [T1105] Ingress Tool Transfer – “OutLoader downloads payload from an external server”
- [T1003] OS Credential Dumping – “custom standalone Mimikatz … to dump credentials from lsass.exe”
- [T1003.003] DCSync – “lsadump::dcsync To perform a DCSync attack”
- [T1555.001] Credentials in DPAPI – “dpapi::chrome To combine two different modules to retrieve a backup key from domain controller (DC) and use the key to decrypt chrome’s credential data protected by DPAPI”
Indicators of Compromise
- [File] SymaticLoader – used to load Cobalt Strike payloads; example context: “Symatic is the primary loader used to load the Cobalt Strike payload in the first campaign.”
- [File] CroxLoader – custom loader with XOR/SUB and decompression; examples: “XOR 0xCC + SUB 0xA” and “RtlDecompressBuffer + XOR 0xCC.”
- [File] BigpipeLoader – loader using AES128-CFB with multi-thread decryption; example: “Base64 + RSA + AES128-CFB” and “Multi-threading decryption over named pipe.”
- [File] OutLoader – loader that downloads payload from an external server; example: “Downloads payload from an external server.”
- [File] MultiPipeLoader – loader with multi-threading decryption; example: “Multi-threading decryption over named pipe.”
- [File] Mimikatz (custom standalone) – reimplemented modules to dump credentials; example: “sekurlsa::logonpasswords … to dump credentials from lsass.exe.”
- [File] RTCore64.sys – vulnerable driver used to disable protections; example: “CVE-2019-16098” in figure caption and text about the driver.
- [File] wusa.exe, dllhost.exe – used as dropper/loader vectors; example: “…dropper, which drops the malicious WTSAPI32.dll designed to be sideloaded by a legitimate application with the file name ‘wusa.exe’.”
- [Process] lsass.exe – credential dumping context in DPAPI/DCSync sections; example: “dump credentials from lsass.exe.”
- [Domain/URL] drive.google.com – Google Drive hosting of archives (implicit domain in article); example: “redirected to a Google Drive hosting a password-protected archive.”
- [IOC] Watermark 426352781 – shared Cobalt Strike metadata; example: “most payloads shared the same watermark, 426352781.”
- [IOC] Public key 9ee3e0425ade426af0cb07094aa29ebc – shared among subgroups; example: “public key 9ee3e0425ade426af0cb07094aa29ebc.”
- [CVE] CVE-2019-16098 – vulnerable driver used by AVBurner/ProcBurner; example: figure caption and text referencing CVE-2019-16098.