[ad_1]
Introduction
In 2022, we found a hacking group that has been focusing on telecom, know-how, and media sectors in Southeast Asia since 2020. We observe this specific group as Earth Zhulong. We imagine that Earth Zhulong is probably going associated to the Chinese language-linked hacking group 1937CN based mostly on comparable code within the customized shellcode loader and victimology.
On this submit, we’ll introduce Earth Zhulong’s new techniques, methods, and procedures (TTPs) within the current marketing campaign and the evolution of their customized shellcode loader, “ShellFang”. Via the TTPs, we see that they’re refined and meticulous as malicious actors. They undertake a number of approaches to obfuscate their instruments and remove their footprint after ending the operation. In consequence, now we have exerted higher effort to seek out and analyze their instruments to totally perceive the assault situation. As well as, now we have verified three completely different variants of ShellFang have been used from 2020 to 2022. The newest variant demonstrates that menace actors have adopted extra obfuscation methods, together with abusing exception mechanisms to obfuscate the execution movement of packages and Home windows API hashing.
In early 2022, we additional found that Earth Zhulong abused group coverage objects (GPO) to put in loaders and launch Cobalt Strike on their goal hosts. A number of hack instruments have been additionally discovered on the contaminated hosts, together with tunneling, port scanning, a Go-lang based mostly backdoor and an data stealer used to reap inner data.
In comparison with outdated variants, code construction within the newest variant is dramatically completely different and there are few shared options between outdated and the newest variant. Nonetheless, we discovered the connection through the long-term investigation and eventually correlated outdated variants with the newest one. We imagine the connection discovered on this analysis may carry this infamous hacking group again to public sight and the findings right here will likely be useful to future analysis on hacker teams that are energetic in Southeast Asia.
Preliminary Entry – Lure doc
Again in 2020, by means of the command and management (C&C) area noticed in our investigation, we discovered a lure doc with a malicious macro. As soon as the sufferer opens the doc, the embedded macro will likely be executed, injecting the shellcode into rundll32.exe. Now we have recognized the embedded shellcode as a Cobalt Strike shellcode which will likely be used to construct connection to a distant hacking machine. We imagine this lure doc is without doubt one of the approaches utilized by the menace actors to compromise their targets.
[ad_2]