BTC $65266.0064
ETH $3170.2759
BNB $579.9567
SOL $151.5810
stETH $3170.3792
XRP $0.5307
DOGE $0.1622
TON $6.2152
ADA $0.5047
AVAX $37.5087
wstETH $3690.1011
WBTC $65350.8728
DOT $7.1858
WETH $3168.2550
TRX $0.1112
BCH $512.3933
LINK $14.9136
MATIC $0.7262
ICP $15.2978
UNI $7.8248
LTC $85.1449
DAI $1.0008
RNDR $9.1190
CAKE $2.9399
IMX $2.1935
STX $2.8650
ETC $27.9082
FDUSD $0.9998
MNT $1.2003
NEAR $6.3271
FIL $6.6129
OKB $55.7832
HBAR $0.0909
TAO $475.1056
VET $0.0423
WIF $3.0785
ATOM $8.6865
MKR $3070.6157
KAS $0.1185
FET $2.4759
GRT $0.2860
INJ $29.1371
PEPE $0.0000
USDE $0.9998
XLM $0.1150
THETA $2.2569
XMR $121.6010
BTC $65266.0064
ETH $3170.2759
BNB $579.9567
SOL $151.5810
stETH $3170.3792
XRP $0.5307
DOGE $0.1622
TON $6.2152
ADA $0.5047
AVAX $37.5087
wstETH $3690.1011
WBTC $65350.8728
DOT $7.1858
WETH $3168.2550
TRX $0.1112
BCH $512.3933
LINK $14.9136
MATIC $0.7262
ICP $15.2978
UNI $7.8248
LTC $85.1449
DAI $1.0008
RNDR $9.1190
CAKE $2.9399
IMX $2.1935
STX $2.8650
ETC $27.9082
FDUSD $0.9998
MNT $1.2003
NEAR $6.3271
FIL $6.6129
OKB $55.7832
HBAR $0.0909
TAO $475.1056
VET $0.0423
WIF $3.0785
ATOM $8.6865
MKR $3070.6157
KAS $0.1185
FET $2.4759
GRT $0.2860
INJ $29.1371
PEPE $0.0000
USDE $0.9998
XLM $0.1150
THETA $2.2569
XMR $121.6010
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Unknown Chinese faction uses custom Cobalt Strike loaders


    Researchers at security firm Trend Micro have discovered a previously unknown Chinese APT group, Earth Longzhi, which targets organizations in East Asia, Southeast Asia, and Ukraine.

    Attackers have been operating since at least 2020, using special versions of Cobalt Strike bootloaders to install permanent backdoors on victim systems.

    According to a new report from Trend Micro, Earth Longzhi has the same TTPs as the Earth Baku group. Both groups are believed to be part of the large state-backed group APT41.

    The Trend Micro report illustrates two campaigns run by Earth Longzhi, the first of which ran between May 2020 and February 2021. During this time, hackers attacked several infrastructure companies and a government organization in Taiwan, as well as a bank in China.

    The hackers used a special Cobalt Strike bootloader called "Symatic", which has a sophisticated anti-detection system that includes the following features:

    • Removing the API interceptor from 'ntdll.dll', getting the raw contents of the file, and replacing the in-memory image of 'ntdll' with a non-security-monitored copy;
    • Creating a new process for the "Process injection" attack and masking the parent process to confuse the chain;
    • Injecting the decrypted payload into the newly created process.

    For its core operations, Earth Longzhi used a generic hacking tool that bundled various publicly available tools into a single package. This tool can:

    • open SOCKS5 proxy;
    • perform password scanning on MS SQL servers;
    • disable Windows file protection;
    • change file timestamps;
    • scan ports;
    • start new processes;
    • list files on disks;
    • execute commands using "SQLExecDirect".

    The second campaign, overseen by Trend Micro, ran from August 2021 to June 2022 and targeted insurance and city companies in the Philippines and aviation companies in Thailand and Taiwan.

    In these attacks, Earth Longzhi has deployed a new set of custom Cobalt Strike loaders with various features, among which is the BigpipeLoader.

    BigpipeLoader uses an unpublished DLL loader (WTSAPI32.dll) in a legitimate application (wusa.exe) to launch the loader (chrome.inf) and inject Cobalt Strike into memory.

    After launching Cobalt Strike on a target, the hackers use a special version of Mimikatz to steal credentials and use "PrintNighmare" and "PrintSpoofer" exploits to escalate privileges. To disable security products on a host, Earth Longzhi uses the ProcBurner tool to terminate certain running processes.

    Following this tactic, Earth Longzhi managed to go unnoticed for at least 2.5 years, and after their discovery by Trend Micro researchers, they are likely to switch to a new tactic.

    Author DeepWeb
    15,000 WordPress sites are redirected to a scam forum
    New Cloud9 botnet attacks thousands of users around the world

    Comments 0

    Add comment