Earth Longzhi, a subgroup of APT41, has resurfaced with new techniques targeting Taiwan, Thailand, the Philippines, and Fiji, including DLL sideloading and BYOVD driver abuse to disable defenses. The campaign also introduces stack rumbling via IFEO, RPC-based service creation, and a web-shell chain using Behinder to facilitate intrusion and lateral movement.
#EarthLongzhi #APT41
#EarthLongzhi #APT41
Keypoints
- Earth Longzhi (an APT41 subgroup) has reemerged with updated tactics after months of dormancy.
- Targets now include organizations in Taiwan, Thailand, the Philippines, and Fiji, with Vietnam and Indonesia flagged as potential next targets.
- DLL sideloading is used via legitimate Windows Defender binaries (MpDlpCmd.exe, MpCmdRun.exe) disguised as MpClient.dll, introducing Croxloader and SPHijacker.
- SPHijacker disables security products through a vulnerable driver (zamguard64.sys) and a novel stack rumbling DoS technique via IFEO.
- Malware uses RPC to create kernel-level services, evading typical API monitoring and enabling stealthy execution.
- Attack vectors include exploiting IIS/Exchange to deploy the Behinder web shell for intranet discovery and tool deployment.
- Privilege escalation leverages a new tool (dwm.exe) to bypass UAC and schedule a high-privilege task via IElevatedFactoryServer.
MITRE Techniques
- [T1574.002] Hijack Execution Flow: DLL Side-Loading β The malware was launched through legitimate Windows Defender binaries and disguised as a DLL MpClient.dll loaded by Defenderβs binaries. Quoted: βThe malware was disguised as a legitimate DLL, MpClient.dll and was loaded by Microsoft Defenderβs binaries.β
- [T1569.002] System Services: Service Execution β The sample shows that mmmm.sys is decrypted and dropped, registered as a service, and βstarts the service through RPC β¦ to set up the service.β
- [T1546.012] Event Triggered Execution: Image File Execution Options Injection β Stack rumbling via IFEO by modifying MinimumStackCommitInBytes to a large value to trigger stack overflow and DoS on targeted processes.
- [T1053.005] Scheduled Task β IElevatedFactoryServer is used to bypass UAC and register the payload as a scheduled task with the highest privilege.
- [T1548.002] Bypass User Account Control β The workflow includes bypassing UAC via a COM/IElevatedFactoryServer approach to elevate and persist.
- [T1068] Exploitation for Privilege Escalation β SPHijacker terminates security products using the zamguard64.sys driver (CVE-2018-5713) to escalate privileges.
- [T1140] Deobfuscate/Decode Files or Information β Croxloader decrypts its payload; the new variant uses a modified decryption algorithm ((ADD 0x70) XOR 0xDD).
- [T1003.001] OS Credential Dumping: LSASS Memory β The MITRE mapping lists credential dumping as a tactic, indicating potential LSASS memory access in related activity.
Indicators of Compromise
- [SHA256] 7910478d53ab5721208647709ef81f503ce123375914cd504b9524577057f0ec β Detections: Rootkit.Win64.SPHIJACKER.ZYKB
- [SHA256] ebf461be88903ffc19363434944ad31e36ef900b644efa31cde84ff99f3d6aed β Detections: Trojan.Win64.CROXLOADER.ZYJL
- [Domain/IP] 194.31.53[.]128 β Description: C&C and appears as a download site
- [Domain/IP] 198.13.47[.]158 β Description: C&C and appears as a download site