Organizations in Ukraine, Southeast Asia, and East Asia have been targeted by newly identified Chinese advanced persistent threat group Earth Longzhi through custom Cobalt Strike loaders since at least 2020, reports BleepingComputer.
Between May 2020 and February 2021, Earth Longzhi compromised numerous Taiwanese critical infrastructure firms, a Taiwanese government organization, and a Chinese bank through Symatic, a custom Cobalt Strike loader that features API hook removal, new process injection spawning and obfuscation, and decrypted payload injection capabilities, according to a Trend Micro report. Different public tools have been consolidated by Earth Longzhi in the hacking tool it used in the campaign.
Meanwhile, Thailand- and Taiwan-based aviation companies, as well as Philippine-based insurance and urban development entities have been targeted by the second Earth Longzhi campaign between August 2021 and June 2022, which involved the utilization of new custom loaders with multi-threading functionality that leverage decoy documents for increased efficacy.
Execution of Cobalt Strike is then followed by utilization of a custom Mimikatz version while exploits for PrintSpoofer and PrintNightmare are used to enable escalation of privileges.
Earth Longzhi has been found to resemble Earth Baku, another subgroup of state-sponsored threat operation APT41.
Ukraine has been targeted by Russian threat actors in the new Operation Texontodisinformation campaign that also involved spear-phishing and credential exfiltration tactics, according to The Hacker News.
Record high ransomware and data extortion incidents experienced by Western nations last year have prompted former National Security Agency Director Michael Rogers to call for a reevaluation of their cybersecurity defense strategy.