Hack The Real Box: an analysis of multiple campaigns by APT41's subgroup Earth Longzhi
The activity of APT41, since the prosecution by United States in 2020, is getting more complex, not only in the perspective of its TTPs but also attribution. In 2021, multiple security vendors disclosed new campaigns by several subgroups of APT41, such as Earth Baku, Sparkling Goblin, Blackfly, Amoeba and GroupCC, which is getting more confusing. Unfortunately, we will add one more subgroup into this hall of (in)fame, which we dubbed as “Earth Longzhi”.
Earth Longzhi has several overlaps with existing APT41’s subgroups based on the code reuse and TTPs, but their long-running activities have not been fully revealed yet. As we observed, Earth Longzhi has been active since at least early 2020, and continues to change its targets and TTPs from time to time. Through analysis of their activities, we identified two major campaigns from 2020 to 2022.
In the early campaign through 2020~2021, Earth Longzhi was targeting mainly Taiwan by using custom Cobalt Strike loader, we dubbed as SymaticLoader, and custom hacking tools. In the recent campaign in 2021~2022, they targeted mainly high profile victims in multiple regions, including Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan and Ukraine, by using various types of custom Cobalt Strike loaders, which we dubbed as CroxLoader and BigpipeLoader, and also custom hacking tools. In particular, they have been actively developing the custom hacking tools, including AV disabling tool abusing vulnerable driver which we dubbed as ProcBurner/AVBurner and custom standalone mimikatz modules (we call this technique as Bring Your Own Mimikatz). The common thing in both campaigns is the heavy use of Red Teaming approach, which has already been observed among another APT41 related groups.
In this presentation, through the technical details of the two campaigns by Earth Longzhi, we will reveal how they has been campaign their TTPs to bypass detections. And adding to that, we will describe the detail process of “how we attribute”. We believe that sharing the attribution process, not only technical details of malwares, will help other security researchers in future.
Hiroaki Hara
Hiroaki Hara is a Threat Researcher at Trend Micro, where he focuses on threat intelligence research in Asia-Pacific region. He specializes in threat hunting, incident response, malware analysis and targeted attack research. He spends most of time to work out funny name for newly found malwares. He has previously presented at JSAC 2021/2022.
Ted Lee
Ted Lee is a threat intelligence researcher in TrendMicro and mainly focus on tracking APAC-based APT (Advanced Persistence Threat) attacks and malware analysis. He also works as a malware/intelligence analyst to support IR (Incident Response) case analysis in Taiwan. Prior to being APT threat researcher, he had experience in solution development on XDR platform as well.