New “Earth Longzhi” APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders

Home/Internet Security, IOC's, malicious cyber actors, Malware, Mobile Security, Security Advisory, Security Update/New “Earth Longzhi” APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders

New “Earth Longzhi” APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders

A new APT group, Earth Longzhi, reportedly targeted organizations in East Asia, Southeast Asia, and Ukraine using a Cobalt Strike loader. The group, active since at least 2020, is considered a subgroup of the state-backed hacking group APT41.

Threat actors used malware-embedded malicious archive files or malicious links to redirect victims to the malicious archive files hosted on Google Drive.

In some cases, it exploited publicly available applications to deliver malware and other necessary hack tools for the routine.

Earth Longzhi used a custom cobalt strike loader called Symatic loader with detection evasion techniques, along with custom hacking tools in the first campaign.

During the second campaign, it used various types of customized Cobalt Strike loaders namely CroxLoader, BigpipeLoader, OutLoader, and other hacking tools.Earth Longzhi’s victimology and TTPs were found similar to an APT41 subgroup, Earth Baku.

The decryption algorithms in Symatic Loader and CroxLoader are quite similar to the ones leveraged by GroupCC, another subgroup of AP41.

What’s more, incapacitating the installed security solutions is pulled off by a method called bring your own vulnerable driver (BYOVD), which entails the exploitation of a known flaw in the RTCore64.sys driver (CVE-2019-16098).

IOCS

SHA256
b6d2f4d9edd7b08c9841cca69c5cb6b312fa9ad1c19a447a26e915e1fd736e09	CroxLoader			Backdoor.Win32.COBEACON.ZTJC
8478718e0bad7fde34f623794e966f662aaf2d7a21d365b45db80b2a0349ed8a	AllInOne			HackTool.Win32.ALLINONE.AB
4b1b1a1293ccd2c0fd51075de9376ebb55ab64972da785153fcb0a4eb523a5eb	AVBurner + PrintSpoofer		HackTool.Win64.AVBURNER.ZYJG
c80289a1f293dceb71230cf0dbd0a45b9444519b1367a5ba04e990ea6acf6503	ProcBurner			HackTool.Win64.PROCBURNER.ZYJD
30b64628aae642380147c7671ea8f864b13c2d2affaaea34c4c9512c8a779225	ProcBurner			HackTool.Win64.PROCBURNER.ZYJH
03795a683bf3eb9ed7673522fe7eac45949a824da8043236cd504fd8106e3593	BigpipeLoader			Trojan.Win32.BIGPIPELOADER.ZYJJ
3ba81d78f3b764dc6e369f24196c41b4cba0764414ad85d42dae5a5f79e871e1	BigpipeLoader			Trojan.Win32.BIGPIPELOADER.ZYJJ
41bcdc3fc4c878fb34ebebeff6ff7d158be166d3fc220f3b90f225ae3757f2e8	BigpipeLoader			Trojan.Win32.BIGPIPELOADER.ZYJJ
8e2aac4e7776f66da785171baeee473e41cb88c60e535b80980d55ac7f873c5c	BigpipeLoader			Trojan.Win32.BIGPIPELOADER.ZYJJ
a0bde01e83ccc42c0729b813108dd3da96a9bc175b3ad53807387bbf84d58112	BigpipeLoader			Trojan.Win32.BIGPIPELOADER.ZYJJ
bd959353bc6c05b085fc37589ea2ccd2c91aaf05ec7cf1a487f5de7fa0abc962	BigpipeLoader			Trojan.Win32.BIGPIPELOADER.ZYJJ
25bfa492e295599fe30d9477ac72a4848c1ee2b71ff92ef7dcca90587c8d0945	OutLoader			Trojan.Win32.OUTLOADER.ZYJD
eb8d11b63d20e3d1e164f0f25822d54a58742faa8d10ba120740e612607b5f6		OutLoader			Trojan.Win32.OUTLOADER.ZYJD
947fdef565d889d3d919d8d81014d718f2d22ef3ed0049c98960f7330f51f41f	SymaticLoader			Trojan.Win32.SYMATIC.ZBII
969ac3517ae9c472e436c547a6721f426a675ad8dece53c3f8e79ba44aa884eb	SymaticLoader			Trojan.Win32.SYMATIC.ZCIE
3de17542ca2ffefc9572cd2707a664999f157a0fed02ac4abdae5f805f6a77ac	SymaticLoader			Trojan.Win32.SYMATIC.ZCII
86598469671d83cd5525a89e2d1ae83f1f9529420c3325a746d84acffeb876ec	SymaticLoader			Trojan.Win32.SYMATIC.ZTII
1903cd46184aa2b70c74e2bdd47b7bedd2ae7175295d6c1dab904204dedbabca	SymaticLoader			Trojan.Win32.SYMATIC.ZTIJ
5eb94c62e75a8a11b1220f3f716f90bee69010ce4ad61c463be6e66dcaf29379	SymaticLoader			Trojan.Win32.SYMATIC.ZYII
883064cdeeddd5ccbfa74dacc1d8a8b5a0d2c9794c59acef186dd7105594fdcc	SymaticLoader			Trojan.Win32.SYMATIC.ZYII
8d3216c2fdbec7fc7a9af4e2d142e021d37037a187739d5aab2fa0351e8f4ec7	SymaticLoader			Trojan.Win32.SYMATIC.ZYJE
31d71e04ca898cbdb45ffea1c4f45a953e0833964ad2d14c014616acb1666996	BigpipeLoader			Trojan.Win64.BIGPIPELOADER.ZYJJ
4a438626ac962db91cde46ee2c04c850b46262599bc535b4a08209661d5fb44d	BigpipeLoader			Trojan.Win64.BIGPIPELOADER.ZYJJ
4bc4d2ad9b608c8564eb5da5d764644cbb088c2f1cb61427d11f7b2ce4733add	BigpipeLoader			Trojan.Win64.BIGPIPELOADER.ZYJJ
76998c3cef50132d7eb091555b034b03a351bd8639c1c5dc05cf1ea6c19331d9	BigpipeLoader			Trojan.Win64.BIGPIPELOADER.ZYJJ
f8fa90be3e6295c275a4d23429e8738228b70693806ed9b2f482581487cb8e08	BigpipeLoader			Trojan.Win64.BIGPIPELOADER.ZYJJ
90a1e3ff729b7b91ca82e7981d2c65bf6c4b8fb2204bf9394d2072d9caa70126	Multipiploader			Trojan.Win64.MULTIPIPELOADER.ZYJE

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 396
By | 2022-11-15T01:31:20+05:30 November 15th, 2022|Internet Security, IOC's, malicious cyber actors, Malware, Mobile Security, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!