Cybersecurity researchers have discovered a harmful campaign conducted by the Earth Longzhi group targeting Taiwan, Thailand, Philippines, and Fiji. Trend Micro uncovered the campaign, and it found that the attackers used the Windows defender executable to download the malicious DLL bibliotext during the BYOVD attack. The purpose of this attack was to turn off safety products installed on the target computer.
Trend Micro’s specialists also found that Earth Longzhi used a new way to disable security products known as “Stack Rumbling.” It is a new type of DOS attack using IFEO vulnerabilities in Windows. The attackers installed drivers at the core level using remote challenge to Microsoft instead of using traditional Windows APIs, a secretive way to avoid API monitoring. During its investigation, Trend Micro found that Earth Longzhi is a subgroup of Chinese Apt41, also known as Barium, Bronze Atlas, Double Dragon, and Wicked Panda.
Trend Micro analyzed two separate Earth Longzhi campaigns from 2020 to 2022, concluding that the attackers are continually improving their TTP. The company reported that although the malware files it collected are test files, they still contain information that can be useful in preventing future attacks. The team concluded that Earth Longzhi may target Vietnam and Indonesia in future campaigns based on the information found in those files.
The Trend Micro team added that the attackers showed a tendency to use open source projects for implementing their tools. Finally, they said that there is clear evidence that the attackers are improving their toolset during inaction. Organizations need to be vigilant about the ever-evolving schemes of cybercriminals.