Threat Management

Custom Cobalt Strike loaders leveraged in Chinese APT attacks

Organizations in Ukraine, Southeast Asia, and East Asia have been targeted by newly identified Chinese advanced persistent threat group Earth Longzhi through custom Cobalt Strike loaders since at least 2020, reports BleepingComputer. Between May 2020 and February 2021, Earth Longzhi compromised numerous Taiwanese critical infrastructure firms, a Taiwanese government organization, and a Chinese bank through Symatic, a custom Cobalt Strike loader that features API hook removal, new process injection spawning and obfuscation, and decrypted payload injection capabilities, according to a Trend Micro report. Different public tools have been consolidated by Earth Longzhi in the hacking tool it used in the campaign. Meanwhile, Thailand- and Taiwan-based aviation companies, as well as Philippine-based insurance and urban development entities have been targeted by the second Earth Longzhi campaign between August 2021 and June 2022, which involved the utilization of new custom loaders with multi-threading functionality that leverage decoy documents for increased efficacy. Execution of Cobalt Strike is then followed by utilization of a custom Mimikatz version while exploits for PrintSpoofer and PrintNightmare are used to enable escalation of privileges. Earth Longzhi has been found to resemble Earth Baku, another subgroup of state-sponsored threat operation APT41.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.