The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Winnti Subgroup Earth Longzhi Uses New TTPs

May 19, 2023 2:28:29 PM / by The Hivemind

WINNTIRelated Families: Croxloader, SPHijacker, Behinder
Verticals Targeted: Government, Healthcare, Technology, Manufacturing

Executive Summary

Earth Longzhi, a Winnti subgroup, was recently observed using new TTPs, including a novel technique dubbed stack rumbling.

Key Takeaways

  • Earth Longzhi, a subgroup of Winnti, was recently observed using new TTPs.
  • The group has transitioned from using maldocs to exploiting public-facing applications for initial infection.
  • The group is using legitimate Windows Defender executables for DLL sideloading, using BYOVD to disable security products, and using RPC to install drivers as kernel-level services. 
  • Earth Lonhzhi’s most interesting new TTP is stack rumbling, which uses IFEO to disable security products. 

Recent Activity 

Earth Longzhi, a Winnti subgroup, was recently observed using new TTPs. Trend Micro reported on this activity. Targets included entities in Taiwan, Thailand, the Philippines, and Fiji.

In the recently observed campaigns, Earth Longzhi decided to forgo phishing emails with maldocs and instead exploited public-facing applications such as IIS and Exchange servers to install the Behinder webshell. Behinder offers multiple backdoor functions, including RCE, file operation, interactive shell, and Socks5 proxy. The threat actors can use this tool to deploy other payloads.

The threat actors used MpDlpCmd.exe and MpCmdRun.exe, legitimate Windows Defender executables, to perform DLL sideloading. Malware families launched using this technique include Croxloader and SPHijacker.

They also exploited zamguard64.sys, a vulnerable driver. By exploiting this driver, Earth Longzhi was able to use a bring-your-own-vulnerable-driver (BYOVD) attack to disable security products on the victim machine.

Earth Longzhi also installed drivers as kernel-level services by using RPC instead of general Windows APIs, a method that can be used to evade API call monitoring.

The most interesting new TTP used by Earth Longzhi is what Trend Micro calls “stack rumbling.” The group uses stack rumbling to disable security products using Image File Execution Options (IFEO), a new denial of service technique.

Trend Micro warned the group appears to be expanding its repertoire and will likely become more active in the near future.

Who is Earth Longzhi?

Earth Longzhi is a China nexus threat actor group operating under the Winnti umbrella. The group has been active since at least 2020 and is known to target government, infrastructure, defense, aviation, insurance, health, and financial entities in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.

IOCs

PolySwarm has multiple samples associated with this activity.

 

16887b36f87a08a12fe3b72d0bf6594c3ad5e6914d26bff5e32c9b44acfec040 

21ffa168a60f0edcbc5190d46a096f0d9708512848b88a50449b7a8eb19a91ed

39de0389d3186234e544b449e20e48bd9043995ebf54f8c6b33ef3a4791b6537

7910478d53ab5721208647709ef81f503ce123375914cd504b9524577057f0ec

9eceba551baafe79b45d412c5347a3d2a07de00cc23923b7dee1616dee087905 

Ebf461be88903ffc19363434944ad31e36ef900b644efa31cde84ff99f3d6aed

 

You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -f EarthLongzhi

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

 

Topics: Threat Bulletin, China, Winnti, TTPs, Stack Rumbling, Earth Longzhi

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More