[ad_1]
Introduction
In 2022, we found a hacking group that has been concentrating on telecom, know-how, and media sectors in Vietnam since 2020. We monitor this specific group as Earth Zhulong. We imagine that Earth Zhulong is probably going associated to the Chinese language-linked hacking group 1937CN primarily based on related code within the customized shellcode loader and victimology.
On this submit, we’ll introduce Earth Zhulong’s new techniques, methods, and procedures (TTPs) within the current marketing campaign and the evolution of their customized shellcode loader, “ShellFang”. By way of the TTPs, we see that they’re subtle and meticulous as malicious actors. They undertake a number of approaches to obfuscate their instruments and eradicate their footprint after ending the operation. Because of this, we’ve got exerted larger effort to search out and analyze their instruments to completely perceive the assault state of affairs. As well as, we’ve got verified three completely different variants of ShellFang have been used from 2020 to 2022. The most recent variant demonstrates that menace actors have adopted extra obfuscation methods, together with abusing exception mechanisms to obfuscate the execution circulate of applications and Home windows API hashing.
In early 2022, we additional found that Earth Zhulong abused group coverage objects (GPO) to put in loaders and launch Cobalt Strike on their goal hosts. A number of hack instruments have been additionally discovered on the contaminated hosts, together with tunneling, port scanning, a Go-lang primarily based backdoor and an info stealer used to reap inner info.
In comparison with outdated variants, code construction within the newest variant is dramatically completely different and there are few shared options between outdated and the most recent variant. Nonetheless, we discovered the connection through the long-term investigation and at last correlated outdated variants with the most recent one. We imagine the connection discovered on this analysis might carry this infamous hacking group again to public sight and the findings right here will probably be useful to future analysis on hacker teams that are energetic in Southeast Asia.
Preliminary Entry – Lure doc
Again in 2020, via the command and management (C&C) area noticed in our investigation, we discovered a lure doc with a malicious macro. As soon as the sufferer opens the doc, the embedded macro will probably be executed, injecting the shellcode into rundll32.exe. Now we have recognized the embedded shellcode as a Cobalt Strike shellcode which will probably be used to construct connection to a distant hacking machine. We imagine this lure doc is among the approaches utilized by the menace actors to compromise their targets.
[ad_2]