APT41 Subgroup Plows Through Asia-Pacific, Utilizing Layered Stealth Tactics

After months of inactivity, Earth Longzhi — a suspected subgroup of the notorious APT41 — is again attacking organizations across industry targets in Southeast Asia. And researchers believe they know who it's targeting next.

APT41 is one of China's most well-known cyber threats — or, rather, an umbrella label for multiple subgroups. Over the years it has constantly switched up its TTPs in espionage attacks against government agencies, enterprises, and even individuals. Its attacks against the US government, in particular, have made enough noise to earn its members indictments from US law enforcement.

On May 2, researchers from Trend Micro revealed details of a new campaign from Earth Longzhi, a suspected subgroup of APT41.

Earth Longzhi had been on something of a hiatus since its most recent campaign, which began in August 2021 and ended last June. In that case, it targeted organizations across industries — defense, aviation, insurance, and urban development — in countries around the Asia-Pacific region — Taiwan, Thailand, Malaysia, Indonesia, Pakistan, Ukraine, and China itself.

Now, after nearly a year, Earth Longzhi is back, utilizing newer and better stealth tactics in espionage campaigns against many of the same kinds of targets.

Earth Longzhi's Evolving TTPs

Rather than tried-and-true phishing emails, Earth Longzhi has tended to target public-facing Internet Information Services (IIS) and Microsoft Exchange servers as inroads to install the popular Behinder Web shell. Using Behinder, it can gather information and download further malware onto host systems.

Further, the group has utilized dynamic link library (DLL) sideloading, disguising malware as a legitimate DLL — MpClient.dll — to trick the legitimate Windows Defender binaries MpDlpCmd.exe and MpCmdRun.exe into loading it.

Earth Longzhi primarily delivers two types of malware, according to Trend Micro: Croxloader, a loader for Cobalt Strike, and a new anti-detection tool called SPHijacker.

SPHijacker is specially designed to disable security products in their tracks, either by utilizing a vulnerable driver — zamguard.sys — or by abusing the undocumented "MinimumStackCommitInBytes" values in the IFEO registry key to perform a kind of denial of service.

"These methods are not overly novel and sophisticated," explains James Lively, endpoint security research specialist at Tanium. "However," he adds, "the knowledge, understanding, and tradecraft required to use them efficiently and accurately is."

Where Earth Longzhi Is Going From Here

In this newest campaign, Earth Longzhi targeted organizations in government, healthcare, technology, and manufacturing, across the Philippines, Thailand, Taiwan, and a country they've never targeted before: Fiji.

But there's a wrinkle in the story. In the course of their investigation, the researchers came across a series of decoy documents written in Vietnamese and Indonesian, hidden among the hackers' files.

"Based on these decoy documents," the researchers wrote, "it can be inferred that the threat actors were keen on targeting users in Vietnam and Indonesia for its next wave of attacks."

With more attacks to come, organizations in and around the Asia-Pacific will need to stay attuned to the threat. With Earth Longzhi's penchant for targeting vulnerable, internet-exposed servers, "potential targets need to ensure that everything in their environment, especially public facing to the Internet, is fully patched and updated," Lively says. Otherwise, they may just be the next victim.