On November 9, 2022, Trend Micro researchers reported two campaigns they attribute to a new threat group Earth Longzhi, which they assess is a subgroup of APT41.
Context
Trend Micro researchers based the assessed connection between the groups on shared targets, shared Cobalt Strike metadata, code similarities, and shared tactics, techniques, and procedures (TTPs).
Impact Analysis
Trend Micro analysts identified two potential circumstances implied by the similarities between the groups:
- These threat actors are no longer static groups. Although the organizational structure will keep changing from time to time, the tools will be inherited by the subsequent newly organized groups.
- The tool developers and campaign operators share the tools with their collaborator groups.
In addition to these circumstances, it should also be noted that many TTPs and code spread throughout the threat landscape in additional ways, including leaks that are then coopted by other actors and the selling of tools as a service by threat groups or rogue developers.
Technical Details
According to Trend Micro, there were two campaigns:
- May 2020 – Feb 2021, in which Earth Longzhi targeted government, healthcare, academic, and infrastructure industries in Taiwan with a custom Cobalt Strike loader and custom hacking tools.
- Aug 2021 – June 2022, in which the group targeted organizations in defense, aviation, development, and finance across multiple geographic regions with multiple customized Cobalt Strike loaders.
IOCs
Trend Micro researchers provided the following IOCs:
| Indicator | Type | Notes |
| 47[.]108[.]173[.]88 | IP Address | |
| 139[.]180[.]138[.]226 | IP Address | |
| www[.]affice366[.]com | URL | |
| www[.]vietsovspeedtest[.]com | URL | |
| c[.]ymvh8w5[.]xyz | URL | |
| b6d2f4d9edd7b08c9841cca69c5cb6b312fa9ad1c19a447a26e915e1fd736e09 | SHA256 | CroxLoader |
| b6d2f4d9edd7b08c9841cca69c5cb6b312fa9ad1c19a447a26e915e1fd736e09 | SHA256 | AllInOne |
| 8478718e0bad7fde34f623794e966f662aaf2d7a21d365b45db80b2a0349ed8a | SHA256 | AVBurner and PrintSpoofer |
| 4b1b1a1293ccd2c0fd51075de9376ebb55ab64972da785153fcb0a4eb523a5eb | SHA256 | ProcBurner |
| c80289a1f293dceb71230cf0dbd0a45b9444519b1367a5ba04e990ea6acf6503 | SHA256 | ProcBurner |
| 30b64628aae642380147c7671ea8f864b13c2d2affaaea34c4c9512c8a779225 | SHA256 | BigpipeLoader |
| 03795a683bf3eb9ed7673522fe7eac45949a824da8043236cd504fd8106e3593 | SHA256 | BigpipeLoader |
| 3ba81d78f3b764dc6e369f24196c41b4cba0764414ad85d42dae5a5f79e871e1 | SHA256 | BigpipeLoader |
| 41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8 | SHA256 | BigpipeLoader |
| 8e2aac4e7776f66da785171baeee473e41cb88c60e535b80980d55ac7f873c5c | SHA256 | BigpipeLoader |
| a0bde01e83ccc42c0729b813108dd3da96a9bc175b3ad53807387bbf84d58112 | SHA256 | BigpipeLoader |
| bd959353bc6c05b085fc37589ea2ccd2c91aaf05ec7cf1a487f5de7fa0abc962 | SHA256 | OutLoader |
| 25bfa492e295599fe30d9477ac72a4848c1ee2b71ff92ef7dcca90587c8d0945 | SHA256 | OutLoader |
| eb8d11b63d20e3d1e164f0f25822d54a58742faa8d10ba120740e612607b5f6 | SHA256 | SymaticLoader |
| 947fdef565d889d3d919d8d81014d718f2d22ef3ed0049c98960f7330f51f41f | SHA256 | SymaticLoader |
| 969ac3517ae9c472e436c547a6721f426a675ad8dece53c3f8e79ba44aa884eb | SHA256 | SymaticLoader |
| 3de17542ca2ffefc9572cd2707a664999f157a0fed02ac4abdae5f805f6a77ac | SHA256 | SymaticLoader |
| 86598469671d83cd5525a89e2d1ae83f1f9529420c3325a746d84acffeb876ec | SHA256 | SymaticLoader |
| 1903cd46184aa2b70c74e2bdd47b7bedd2ae7175295d6c1dab904204dedbabca | SHA256 | SymaticLoader |
| 5eb94c62e75a8a11b1220f3f716f90bee69010ce4ad61c463be6e66dcaf29379 | SHA256 | SymaticLoader |
| 883064cdeeddd5ccbfa74dacc1d8a8b5a0d2c9794c59acef186dd7105594fdcc | SHA256 | SymaticLoader |
| 8d3216c2fdbec7fc7a9af4e2d142e021d37037a187739d5aab2fa0351e8f4ec7 | SHA256 | BigpipeLoader |
| 31d71e04ca898cbdb45ffea1c4f45a953e0833964ad2d14c014616acb1666996 | SHA256 | BigpipeLoader |
| 4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d | SHA256 | BigpipeLoader |
| 4bc4d2ad9b608c8564eb5da5d764644cbb088c2f1cb61427d11f7b2ce4733add | SHA256 | BigpipeLoader |
| 76998c3cef50132d7eb091555b034b03a351bd8639c1c5dc05cf1ea6c19331d9 | SHA256 | BigpipeLoader |
| f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08 | SHA256 | BigpipeLoader |
| 90a1e3ff729b7b91ca82e7981d2c65bf6c4b8fb2204bf9394d2072d9caa70126 | SHA257 | Multipiploader |
