In 2020, a hacking group known as Earth Zhulong began targeting telecom, technology, and media sectors in Vietnam. After a long-term investigation, we believe that this group is likely related to the Chinese-linked hacking group 1937CN due to similar code in the custom shellcode loader and victimology. We have identified three different variants of the shellcode loader, ShellFang, used from 2020 to 2022. The latest variant has adopted more obfuscation techniques, such as abusing exception mechanisms and Windows API hashing. We have also found that Earth Zhulong has been using group policy objects to install loaders and launch Cobalt Strike on their target hosts. Additionally, they have been using various hacking tools, such as tunneling, port scanning, a Go-lang based backdoor, and an information stealer to harvest internal information. We have also found that the code structure of the latest variant is dramatically different from the old variants, but we were able to identify the relationship between them. We have identified the embedded shellcode as a Cobalt Strike shellcode which will be used to build a connection to a remote hacking machine. We believe that this lure document is one of the approaches used by the threat actors to compromise their targets. We have also observed that Earth Zhulong has been using DLL sideloading techniques to run their malware. We have also found that they have been using the notorious network-penetration tool, EarthWorm, and Themida packer to obfuscate the signature used for detection. We have also found a python-based information stealer used to collect internal information of victims. We believe that Earth Zhulong is a big threat to cybersecurity in Southeast Asia and that Trend Micro Vision One can help prevent threats like this with multiple security layers across all platforms.
This Cyber News was published on www.trendmicro.com. Publication date: Wed, 08 Feb 2023 13:34:03 +0000