New Threat Group “Earth Longzhi” Targeting Global Government, Infrastructure, Aviation, Health, and Finance Orgs

Trend Micro researchers reported two campaigns they attribute to a new threat group Earth Longzhi, which they assess is a subgroup of APT41.
Earth Longzhi

On November 9, 2022, Trend Micro researchers reported two campaigns they attribute to a new threat group Earth Longzhi, which they assess is a subgroup of APT41.

Context

Trend Micro researchers based the assessed connection between the groups on shared targets, shared Cobalt Strike metadata, code similarities, and shared tactics, techniques, and procedures (TTPs).

Impact Analysis

Trend Micro analysts identified two potential circumstances implied by the similarities between the groups:

  • These threat actors are no longer static groups. Although the organizational structure will keep changing from time to time, the tools will be inherited by the subsequent newly organized groups.
  • The tool developers and campaign operators share the tools with their collaborator groups.

In addition to these circumstances, it should also be noted that many TTPs and code spread throughout the threat landscape in additional ways, including leaks that are then coopted by other actors and the selling of tools as a service by threat groups or rogue developers.

Technical Details

According to Trend Micro, there were two campaigns:

  1. May 2020 – Feb 2021, in which Earth Longzhi targeted government, healthcare, academic, and infrastructure industries in Taiwan with a custom Cobalt Strike loader and custom hacking tools.
  2. Aug 2021 – June 2022, in which the group targeted organizations in defense, aviation, development, and finance across multiple geographic regions with multiple customized Cobalt Strike loaders.

IOCs

Trend Micro researchers provided the following IOCs:

Indicator Type Notes
47[.]108[.]173[.]88 IP Address
139[.]180[.]138[.]226 IP Address
www[.]affice366[.]com URL
www[.]vietsovspeedtest[.]com URL
c[.]ymvh8w5[.]xyz URL
b6d2f4d9edd7b08c9841cca69c5cb6b312fa9ad1c19a447a26e915e1fd736e09 SHA256 CroxLoader
b6d2f4d9edd7b08c9841cca69c5cb6b312fa9ad1c19a447a26e915e1fd736e09 SHA256 AllInOne
8478718e0bad7fde34f623794e966f662aaf2d7a21d365b45db80b2a0349ed8a SHA256 AVBurner and PrintSpoofer
4b1b1a1293ccd2c0fd51075de9376ebb55ab64972da785153fcb0a4eb523a5eb SHA256 ProcBurner
c80289a1f293dceb71230cf0dbd0a45b9444519b1367a5ba04e990ea6acf6503 SHA256 ProcBurner
30b64628aae642380147c7671ea8f864b13c2d2affaaea34c4c9512c8a779225 SHA256 BigpipeLoader
03795a683bf3eb9ed7673522fe7eac45949a824da8043236cd504fd8106e3593 SHA256 BigpipeLoader
3ba81d78f3b764dc6e369f24196c41b4cba0764414ad85d42dae5a5f79e871e1 SHA256 BigpipeLoader
41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8 SHA256 BigpipeLoader
8e2aac4e7776f66da785171baeee473e41cb88c60e535b80980d55ac7f873c5c SHA256 BigpipeLoader
a0bde01e83ccc42c0729b813108dd3da96a9bc175b3ad53807387bbf84d58112 SHA256 BigpipeLoader
bd959353bc6c05b085fc37589ea2ccd2c91aaf05ec7cf1a487f5de7fa0abc962 SHA256 OutLoader
25bfa492e295599fe30d9477ac72a4848c1ee2b71ff92ef7dcca90587c8d0945 SHA256 OutLoader
eb8d11b63d20e3d1e164f0f25822d54a58742faa8d10ba120740e612607b5f6 SHA256 SymaticLoader
947fdef565d889d3d919d8d81014d718f2d22ef3ed0049c98960f7330f51f41f SHA256 SymaticLoader
969ac3517ae9c472e436c547a6721f426a675ad8dece53c3f8e79ba44aa884eb SHA256 SymaticLoader
3de17542ca2ffefc9572cd2707a664999f157a0fed02ac4abdae5f805f6a77ac SHA256 SymaticLoader
86598469671d83cd5525a89e2d1ae83f1f9529420c3325a746d84acffeb876ec SHA256 SymaticLoader
1903cd46184aa2b70c74e2bdd47b7bedd2ae7175295d6c1dab904204dedbabca SHA256 SymaticLoader
5eb94c62e75a8a11b1220f3f716f90bee69010ce4ad61c463be6e66dcaf29379 SHA256 SymaticLoader
883064cdeeddd5ccbfa74dacc1d8a8b5a0d2c9794c59acef186dd7105594fdcc SHA256 SymaticLoader
8d3216c2fdbec7fc7a9af4e2d142e021d37037a187739d5aab2fa0351e8f4ec7 SHA256 BigpipeLoader
31d71e04ca898cbdb45ffea1c4f45a953e0833964ad2d14c014616acb1666996 SHA256 BigpipeLoader
4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d SHA256 BigpipeLoader
4bc4d2ad9b608c8564eb5da5d764644cbb088c2f1cb61427d11f7b2ce4733add SHA256 BigpipeLoader
76998c3cef50132d7eb091555b034b03a351bd8639c1c5dc05cf1ea6c19331d9 SHA256 BigpipeLoader
f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08 SHA256 BigpipeLoader
90a1e3ff729b7b91ca82e7981d2c65bf6c4b8fb2204bf9394d2072d9caa70126 SHA257 Multipiploader

More Recent Blog Posts