A newly emerged advanced persistent threat (APT) group, Earth Longzhi, has targeted numerous organisations using the Cobalt Strike loader, especially in Asia and Ukraine. Researchers noted that these actors are classified as a subgroup of the APT41 nation-backed hacking group.
Based on reports, Earth Longzhi deployed two malicious campaigns between May 2022 and February 2021, and the second one from August last year to June this year.
The first incident targeted Taiwan’s government, academia, healthcare and infrastructure, and the banking firms of China. On the other hand, the second set of attacks from the group has aimed at the defence, insurance, developmental industries, and aviation from numerous countries such as Taiwan, Thailand, China, Indonesia, Pakistan, Malaysia, and Ukraine.
The Earth Longzhi APT has heavily relied on spear-phishing tactics through emails.
According to investigations, the Earth Longzhi APT has utilised spear-phishing emails as their main transmitter to deliver their malware. Moreover, the actors used social engineering strategies alongside spear-phishing emails.
The threat operators also used archive files or malicious links that redirected victims to the compromised files hosted on Google Drive. Reports revealed that the archive files that the actors utilised for their attacks are embedded with malware.
Another researcher explained that the Earth Longzhi APT drops a custom Cobalt Strike loaded called Symatic. This specially modified loader has a detection evasion capability with a customised hacking toolkit.
The group uses an all-in-one toolkit that includes all the necessary publicly available loaders and kits in one package. Earth Longzhi’s compressed tool allows them to complete numerous tasks by utilising one executable in its operations.
During its second cybercriminal operation, the group used several types of specially crafter Cobalt Strike loaders such as OutLoader, CroxLoader and BigpipeLoader. They used these tools for escalating their privileges, credential dumping, and security bypass.
As of now, the Earth Longzhi has an enormous potential to be a significant threat among big-time countries worldwide. Experts believe that the tools these threat actors use will also be utilised by other subgroups of APT41 to create more attacks and have wide-ranging impacts against their targeted regions.
