Earth Longzhi Uses "Stack Rumbling" to Disable Security Software

Written by

Cybersecurity researchers at Trend Micro have discovered a new campaign by Earth Longzhi targeting organizations based in Taiwan, Thailand, the Philippines and Fiji.

As described in an advisory published on Tuesday, the campaign relies on a Windows Defender executable to perform DLL sideloading while exploiting a vulnerable driver to disable security products installed on the host machine via a bring-your-own-vulnerable-driver (BYOVD) technique.

“We also found that Earth Longzhi uses a new way to disable security products, a technique we’ve dubbed ‘stack rumbling’ via Image File Execution Options (IFEO), which is a new denial-of-service (DoS) technique,” explained Trend Micro researchers Ted Lee and Hara Hiroaki.

The campaign also saw the threat actor installing drivers as kernel-level services via Microsoft Remote Procedure Call (RPC) instead of leveraging traditional Windows APIs (application programming interfaces).

“This is a stealthy way to evade typical API monitoring. We also found some interesting samples in our investigation that contained information not only on Earth Longzhi’s potential targets but also techniques for possible use in future campaigns,” reads the technical write-up.

During their investigation, Trend Micro analyzed two separate Earth Longzhi campaigns that took place between 2020 and 2022. The gang is a subgroup of APT41.

Read more on APT41 here: China-Aligned "Operation Tainted Love" Targets Middle East Telecom Providers

“This follow-up article to our previous report aims to flag readers that Earth Longzhi remains in circulation and is expected to improve its TTPs,” the company wrote. “Although the samples that we’ve collected resemble testing files, they can still be useful because they contain information on Earth Longzhi’s potential targets and new techniques that it might employ in the future.”

According to the observed files, the team inferred that Earth Longzhi may target Vietnam and Indonesia in future campaigns.

“Notably, the group’s possible abuse of Task Scheduler to escalate privileges for persistence is a new technique that it might use in future campaigns,” Lee and Hiroaki said. “Another noteworthy insight is that the threat actors showed an inclination for using open-source projects to implement their own tools.”

The Trend Micro team added there is evidence suggesting the group improves its toolset during periods of inactivity.

“With this knowledge in mind, organizations should stay vigilant against the continuous development of new stealthy schemes by cyber criminals.”

What’s hot on Infosecurity Magazine?