- Upgrade to Microsoft Office Pro and Windows 11 Pro with this bundle for 87% off
- Get 3 months of Xbox Game Pass Ultimate for 28% off
- Buy a Microsoft Project Pro or Microsoft Visio Pro license for just $18 with this deal
- How I optimized the cheapest 98-inch TV available to look and sound incredible (and it's $1,000 off)
- The best blood pressure watches of 2024
Earth Zhulong Familiar Patterns Target Southeast Asian Firms
Introduction
In 2022, we discovered a hacking group that has been targeting telecom, technology, and media sectors in Southeast Asia since 2020. We track this particular group as Earth Zhulong. We believe that Earth Zhulong is likely related to the Chinese-linked hacking group 1937CN based on similar code in the custom shellcode loader and victimology.
In this post, we’ll introduce Earth Zhulong’s new tactics, techniques, and procedures (TTPs) in the recent campaign and the evolution of their custom shellcode loader, “ShellFang”. Through the TTPs, we see that they are sophisticated and meticulous as malicious actors. They adopt multiple approaches to obfuscate their tools and eliminate their footprint after finishing the operation. As a result, we have exerted greater effort to hunt down and analyze their tools to fully understand the attack scenario. In addition, we have verified three different variants of ShellFang were used from 2020 to 2022. The latest variant demonstrates that threat actors have adopted more obfuscation techniques, including abusing exception mechanisms to obfuscate the execution flow of programs and Windows API hashing.
In early 2022, we further discovered that Earth Zhulong abused group policy objects (GPO) to install loaders and launch Cobalt Strike on their target hosts. Several hack tools were also found on the infected hosts, including tunneling, port scanning, a Go-lang based backdoor and an information stealer used to harvest internal information.
Compared to old variants, code structure in the latest variant is dramatically different and there are few shared features between old and the latest variant. However, we found the relationship during the long-term investigation and finally correlated old variants with the latest one. We believe the relationship found in this research could bring this notorious hacking group back to public sight and the findings here will be helpful to future research on hacker groups which are active in Southeast Asia.
Initial Access – Lure document
Back in 2020, through the command and control (C&C) domain observed in our investigation, we found a lure document with a malicious macro. Once the victim opens the document, the embedded macro will be executed, injecting the shellcode into rundll32.exe. We have identified the embedded shellcode as a Cobalt Strike shellcode which will be used to build connection to a remote hacking machine. We believe this lure document is one of the approaches used by the threat actors to compromise their targets.