Longzhi

Threat Actor updated 4 months ago (2024-05-05T12:17:34.311Z)

Download STIX

Preview STIX

Earth Longzhi, a subgroup within the notorious APT41 cyber espionage group, has re-emerged after months of dormancy, according to cybersecurity researchers at Trend Micro. The threat actor has been known for its malicious activities since 2020 and has recently targeted organizations in Taiwan, Thailand, the Philippines, and for the first time, Fiji. The sectors affected include government, healthcare, technology, and manufacturing. Earth Longzhi's resurgence is marked by new techniques in its infection routine, primarily targeting vulnerable internet-exposed servers. This recent activity indicates that Earth Longzhi remains a significant threat with an evolving modus operandi. The researchers discovered that Earth Longzhi has developed a novel method to disable security products, a technique they termed 'stack rumbling' via Image File Execution Options (IFEO), which is a new denial-of-service (DoS) technique. The group primarily deploys two types of malware: Croxloader, a loader for Cobalt Strike, and a new anti-detection tool called SPHijacker. Instead of relying on traditional phishing emails, Earth Longzhi tends to target public-facing Internet Information Services (IIS) and Microsoft Exchange servers to install the popular Behinder Web shell. Using Behinder, it can gather information and download further malware onto host systems. Despite Earth Longzhi's hiatus since its last campaign that ended in June 2022, the group's return signals its resilience as a noteworthy threat. The samples collected by Trend Micro not only reveal potential targets but also provide insights into the new techniques that Earth Longzhi might employ in future campaigns. Given these developments, organizations, especially those with public-facing internet services, are urged to ensure their systems are fully patched and updated to mitigate the risk of intrusion.

Description last updated: 2024-05-05T11:32:06.089Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Earth Longzhi	3	Earth Longzhi, a suspected subgroup of the notorious APT41, has reemerged after months of inactivity and is now attacking organizations across various industries in Southeast Asia. This group had been on hiatus since its last campaign which ran from August 2021 to June 2022. Trend Micro's investigat
APT41	2	APT41, a threat actor attributed to China, has been actively targeting organizations in at least 14 countries since 2012. The group is known for its use of an extensive range of malware, with at least 46 different code families and tools observed in their operations. They are associated with various

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Espionage

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Longzhi Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Attack on Security Titans: Earth Longzhi Returns With New Tricks \| IT Security News
DARKReading	a year ago	APT41 Subgroup Plows Through Asia-Pacific, Utilizing Layered Stealth Tactics
InfoSecurity-magazine	a year ago	Earth Longzhi Uses
CERT-EU	a year ago	Chinese Hacker Group Earth Longzhi Resurfaces with Advanced Malware Tactics - GIXtools