Cyber Crime
Earth Zhulong: Familiar Patterns Target Southeast Asian Firms
In 2022, we discovered Earth Zhulong, a hacking group that has been targeting Asian firms similar to another well-known threat actor. In this article, we unravel their new tactics, techniques and procedures that they apply on their misdeeds.
Introduction
In 2022, we discovered a hacking group that has been targeting telecom, technology, and media sectors in Southeast Asia since 2020. We track this particular group as Earth Zhulong. We believe that Earth Zhulong is likely related to the Chinese-linked hacking group 1937CN based on similar code in the custom shellcode loader and victimology.
In this post, we’ll introduce Earth Zhulong’s new tactics, techniques, and procedures (TTPs) in the recent campaign and the evolution of their custom shellcode loader, “ShellFang”. Through the TTPs, we see that they are sophisticated and meticulous as malicious actors. They adopt multiple approaches to obfuscate their tools and eliminate their footprint after finishing the operation. As a result, we have exerted greater effort to hunt down and analyze their tools to fully understand the attack scenario. In addition, we have verified three different variants of ShellFang were used from 2020 to 2022. The latest variant demonstrates that threat actors have adopted more obfuscation techniques, including abusing exception mechanisms to obfuscate the execution flow of programs and Windows API hashing.
In early 2022, we further discovered that Earth Zhulong abused group policy objects (GPO) to install loaders and launch Cobalt Strike on their target hosts. Several hack tools were also found on the infected hosts, including tunneling, port scanning, a Go-lang based backdoor and an information stealer used to harvest internal information.
Compared to old variants, code structure in the latest variant is dramatically different and there are few shared features between old and the latest variant. However, we found the relationship during the long-term investigation and finally correlated old variants with the latest one. We believe the relationship found in this research could bring this notorious hacking group back to public sight and the findings here will be helpful to future research on hacker groups which are active in Southeast Asia.
Initial Access – Lure document
Back in 2020, through the command and control (C&C) domain observed in our investigation, we found a lure document with a malicious macro. Once the victim opens the document, the embedded macro will be executed, injecting the shellcode into rundll32.exe. We have identified the embedded shellcode as a Cobalt Strike shellcode which will be used to build connection to a remote hacking machine. We believe this lure document is one of the approaches used by the threat actors to compromise their targets.
Propagation through GPO
In early 2022, we further observed new TTPs used to spread malware in the victim’s environment. After getting access to the internal network, they perform domain exploration using SharpHound. Once they successfully compromise the domain controller, they will submit immediate tasks to the hosts in the domain through GPO as seen in Figure 5, As the hosts receive the task through GPO, they will run a PowerShell script named “co.ps1” and create scheduled tasks for persistence.
As shown in Figure 6, threat actors use multi-layered AES encryption and base64 encoding to obfuscate “co.ps1”. Heavy obfuscation in a simple but useful anti-analysis approach makes it difficult for security products to detect their scripts. After clearing the obfuscation, we found the script is used to deploy malware components (win.exe, gm.dll, and lengs.medil.xml) on the infected machine.
Earth Zhulong adopted DLL sideloading techniques to run their malware. “win.exe” is a renamed GoogleToolbarNotifier application. The malicious DLL “gtn.dll”, which we named as “ShellFang”, loads when a legitimate executable is launched. It then calls the export function, “Go”, to start the loading procedure of the encrypted payload to decrypt the payload called “lengs.medil.xml”, which is the Cobalt Strike beacon.
Evolution of ShellFang loader
During the investigation, we found that Earth Zhulong started targeting Southeast Asian firms in 2020. Although they always used DLL sideloading to launch their malware, they never stopped changing the code structure of their shellcode loader. Here we summarize the information we collected from 2020 to 2022 and verify three different variants used by Earth Zhulong.
Loader prior to 2020 (Variant 1)
The earliest variant of ShellFang was observed in a victim’s environment in 2020. However, based on the timestamp of export function, this variant was compiled in 2017. The code structure of ShellFang is simple. It would read the encrypted payload (“nkford.nlp” is the payload in this case) then decrypt it and run it in the memory. The shellcode loader used XOR with a 26 byte keyset and started a long sleep after finishing shellcode execution.
Loader in 2021 (Variant 2)
Compared to the variant in 2020, there was no big change in 2021. They changed the decryption function into RC4 instead of the original XOR, but the code structure was basically the same as the previous variant.
Loader in the latest campaign (2022, variant 3)
Compared to previous variants, changes were seen in the code structure in variant 3. In this variant, more anti-analysis techniques were added to strengthen their loader, including API hashing and execution flow obfuscation through exception mechanism. Threat actors intentionally raise exceptions to interrupt malware analysts and obfuscate the execution flow of the program. Windows APIs are obfuscated via a hashing function and dynamically resolved in the run-time. The payload will be decrypted with RC4 algorithm, and the final payload is an HTTPs Cobalt Strike beacon.
Hacking Tools
Besides the shellcode loader and Cobalt Strike, we also observed additional tools, including port scanner, proxy and information stealer deployed to the compromised hosts. It’s worth noting that they use various programming platforms including C language, Go-Lang and Python. In this section, we will mention some noteworthy hacking tools used in their operation.
MACAMAX
Although threat actors already installed the Cobalt Strike as backdoor, we also found out that they deployed another Go-Lang backdoor, which we named MACAMAX in the meantime. It supports proxy (Socks5), upload/download file and remote shell functions. Network configuration was defined in another configuration file, and it would be loaded when running the backdoor. Furthermore, the configuration file will be deleted once it is loaded into memory for fear of leaking network infrastructures.
cmd> {MACAMAX}.exe {network config file}
Usage of MACAMAX
-rh={remote host} -rp={remote port} -ps={proxy server} -sl=5 -to=0 -cg=1
Information defined in the configuration file.
Themida-packed EarthWorm
During our investigation, we found they also use the notorious network-penetration tool, “EarthWorm”. EarthWorm is a simple network tunnel tool with SOCKS v5 server and port transfer developed by a Chinese engineer. Although the original developer already stopped maintenance and removed the download link, it’s still getting more popular in the recent cyber-attack. With this tool, the attackers are able to bypass the firewall and access the machine in a restricted network. Since EarthWorm has become more common, security vendors also provide solutions to detect this powerful tool. In order to avoid being detected by security products, threat actors use Themida packer to obfuscate the signature used for detection.
Information Stealer
We found a python-based information stealer used to collect internal information of victims. This information stealer is compiled with Python 3.10 and packed by noted tools, “PyInstaller”, used to convert python script to be a standalone executable. After checking the Python assembly code of the sample, we found this tool is used to dump information from the victim’s Oracle database. Dumped data will be stored in a csv file and compressed by WinRAR with a password (“5tgb6yhn”), then all compressed data will be uploaded to Dropbox at the end.
Footprint Hidden and Elimination
Threat actors run PowerShell scripts with previous versions of PowerShell that do not support Script Block Logging with the intent to evade being detected while running the malicious scripts (so-called “Downgrade Attack”). After finishing the operation, they will clean the intrusion footprint and delete important files, including payload and network configuration files, to avoid leaking any information to analysts. It is worth noting that they also corrupt their shellcode loader by wiping out the header of the file, seen in Figure 15. This is a common approach to make it harder for analysts to analyze their tools in the ransomware attack, but it’s relatively rare in an APT attack. These show that they are sophisticated and meticulous actors.
Attribution
Summarizing the information collected from 2020 to 2022, we find that Earth Zhulong is likely to be related to a notorious hacking group, “1937CN” based on the code similarity and victimology aspects. In this section, we will introduce the process of attribution.
Code similarity
Although the earliest variant of ShellFang used in this campaign was observed in 2020, we found the malware was already compiled in 2017, based on the timestamp of an export function, which can be seen in Figure 19. In addition, we reviewed reports published around that time and found the decryption algorithm in ShellFang was once used in the campaign by 1937CN, which was revealed by Fortinet in 2017. Shown in Figure 20, the XOR keyset and algorithm are highly similar. Based on the prevalent time and algorithm, we believe Earth Zhulong is likely to be related to 1937CN.
Victimology
Based on our long-term investigation, Southeast Asia is Earth Zhulong’s major target, focusing on telecom and media sectors. 1937CN is a well-known hacking group in Southeast Asia and has always been their major target as well. In 2016, 1937CN was suspected to attack Noi Bai and Tan Son Nhat airports in Vietnam, hijacking the flight information screens to broadcast anti-Vietnamese and anti-Philippines propaganda. In 2017, Fortinet also revealed their campaign targeting Vietnamese organizations by using a weaponized RTF document. In victimology aspects, Earth Zhulong is consistent with the 1937CN group.
Conclusion
Through long-term monitoring, we found this campaign continued targeting Southeast Asia from 2020 to 2022. In the past 2 years, they always have used DLL sideloading as their major technique to launch their malware. However, they continued updating their tools and even added more anti-analysis techniques in their latest tools including multi-layer obfuscation, API obfuscation, and execution flow obfuscation by raising exceptions intentionally.
We also found they compromise the domain controller in the victim’s environment and deployed Cobalt Strike on their hosts by creating immediate tasks through GPO. In addition, Go-lang and Python are also used as programming languages to build their tools. Both programming languages provide strength for cross-platform programs development. Furthermore, Python and Go-lang executables usually compile all necessary libraries in a single binary, making malware classification more difficult for analysts and resulting in a large binary. Some security products have limitations when handling large files. Which may be their approach as large binaries reduces the risk of being detected.
In the process of tracking and analyzing the data, we have identified the hacker group behind the campaign which targets organizations in Southeast Asia, and called it Earth Zhulong. Based on the victimology and usage of a highly similar decryption algorithm, we believe that Earth Zhulong is related to the hacking group known as “1937CN”. We hope our findings will remind the public that the actions and motivations of 1937CN continue to resurface through groups like Earth Zhulong, and that these groups remain a big threat to cybersecurity in Southeast Asia.
While the threat remains focused on Southeast Asia, tactics like this can be applied to various places across the world. It is better to stay ahead of the curve to ensure your safety against these malicious actors. Ensuring your systems are protected on all aspects is integral to the productivity of your enterprise. Trend Micro Vision One can help you prevent threats like this with multiple security layers across all platforms, and its intuitive threat detection, investigation and response system makes it a key factor to stop Earth Zhulong’s evolving methods of infiltrating systems.
Indicators of compromise (IOCs)
Download the full list of IOCs here.
MITRE
Tactics | Techniques |
Discovery | T1087 - Account Discovery |
T1482 - Domain Trust Discovery | |
Execution | T1204.002 - User Execution: Malicious File |
Defense Evasion | T1574.002 - Hijack Execution Flow: DLL Side-Loading |
T1055 - Process Injection | |
T1070.006 - Timestomp | |
T1140 - Deobfuscate/Decode Files or Information | |
T1070 - Indicator Removal | |
T1562.010 - Downgrade Attack | |
Persistence | T1053.005 - Scheduled Task |
Privilege Escalation | T1484 - Domain Policy Modification |
T1078 - Valid Account | |
Command and Control | T1071.001 - Application Layer Protocol: Web Protocols |
T1090.001 - Internal Proxy | |
T1090.002 - External Proxy |