A subgroup of the Chinese state-sponsored threat actor known as APT41 has been observed using a new denial-of-service (DoS) technique to disable security software, cybersecurity firm Trend Micro reports.
Tracked as Earth Longzhi, the APT41 subgroup is known for the targeting of organizations in the Philippines, Taiwan, and Thailand.
As part of the newly observed campaign, the threat actor was seen performing DLL sideloading via Windows Defender binaries and employing two methods of disabling security products: a bring-your-own-vulnerable-driver (BYOVD) attack, and a technique called ‘stack rumbling’ that involves Image File Execution Options (IFEO).
The attacks typically start with the exploitation of vulnerable public-facing applications and Internet Information Services (IIS) and Microsoft Exchange servers to deploy the Behinder web shell, which provides backdoor capabilities, remote code execution, and a Socks5 proxy.
Earth Longzhi was also observed abusing legitimate Windows Defender executables to sideload DLLs and execute malware such as Croxloader (a customized Cobalt Strike loader) and SPHijacker (a tool for disabling security products).
SPHijacker leverages a vulnerable Zemana driver to terminate security applications, then leverages stack rumbling to prevent the software from running by causing it to crash upon launch.
For that, it modifies the IFEO registry key with a new value large enough to crash the target application due to a stack overflow. The method, which causes a permanent DoS condition, targets roughly 30 antivirus-related processes.
“IFEO registry has been known to contain various options for process creation. While it can be used to attach a debugger to an executable file, it can also be used to interrupt the process execution flow, a method known as IFEO injection,” Trend Micro explains.
While investigating the campaign, Trend Micro discovered additional malicious tools linked to Earth Longzhi, such as the Roxwrapper loader and a new tool for privilege escalation.
The cybersecurity firm also discovered various decoy documents in Vietnamese and Indonesian, which were likely meant to be distributed via phishing emails to victims in Vietnam and Indonesia.
The observed attacks focused on government, healthcare, manufacturing, and technology organizations in Fiji, the Philippines, Taiwan, and Thailand. This is the first time the Chinese threat actor has targeted entities in Fiji, Trend Micro says.
“Another noteworthy insight is that the threat actors showed an inclination for using open-source projects to implement their own tools. There is evidence to suggest that the group spruces up its toolset during periods of inactivity,” the cybersecurity firm concludes.
Related: Report: Chinese State-Sponsored Hacking Group Highly Active
Related: China’s Winnti Group Seen Targeting Governments in Sri Lanka, Hong Kong
Related: More Details Emerge on Operations, Members of Chinese Group APT41
