Earth Longzhi Another Subgroup to APT41
Category: Threat Actor Activity | Industries: Academic, Aviation, Defense, Government, Healthcare, Infrastructure, Insurance | Level: Tactical | Source: Trend Micro
A new subgroup to Chinese state-sponsored espionage group, APT41 has been identified by security researchers from Trend Micro as 'Earth Longzhi.' The attribution was made from observing multiple campaigns with specific Cobalt Strike loaders. "After checking all the metadata of the Cobalt Strike payloads, we found most payloads shared the same watermark, 426352781, and public key 9ee3e0425ade426af0cb07094aa29ebc. This watermark and public key combination is also used by Earth Baku and GroupCC, which are also believed to be subgroups of APT41." Earth Longzhi appears to have been active since 2020, and their campaigns have primarily targeted East and Southeast Asia entities. The sectors targeted have included industries in academics, aviation, defense, government, healthcare, infrastructure, and insurance. For their entry vector, Earth Longzhi exploited public-facing applications for remote code execution (RCE) and distributed phishing emails containing malicious archive files or links. During post-exploitation activity typically consists of installing loaders to set up the environment for the deployment of Cobalt Strike and other custom hacking tools. Earth Longzhi operatives prefer to develop their own tools from open-source projects. Trend Micro has observed several programs developed by the attackers, "we collected multiple hacking tools used for privilege escalation (PrintNightmare and PrintSpoofer), credential dumping (custom standalone Mimikatz), and defense evasion (disablement of security products)."
Anvilogic Use Cases:
- Potential DCSync
- Mimikatz Execution
- Additional dll added to Spool Driver