Written by staff writer.
A new campaign by Chinese hacking group Earth Longzhi is targeting countries around the Asia-Pacific, including Fiji, according to IT security company Trend Micro. The group is deploying malware through legitimate Windows Defender binaries disguised as bona fide dynamic link library (DLL).
Trend Micro also says Earth Longzhi, widely believed to be a subsidiary of the Chinese government-sponsored APT41 cyber-criminal group, has developed a new way to disable security products, harnessing a new denial of service technique called “stack rumbling” that uses Image File Execution Options.
“We’ve noticed that this campaign installs drivers as kernel-level services by using Microsoft Remote Procedure Call (RPC) instead of using general Windows application programming interfaces (APIs). This is a stealthy way to evade typical API monitoring,” the alert said.
Earth Longzhi’s modus operandi is to target public-facing Internet Information Services (IIS) and Microsoft Exchange servers to install malware to gather information and download further malware. Presently, it is targeting government, healthcare, technology, and manufacturing entities in the Philippines, Thailand, Taiwan, and Fiji. The hacking group has never targeted Fiji before. Decoy documents discovered are written in Vietnamese and Indonesian, suggesting entities in those countries are also potential targets.
Late last year Trend Micro, who are among the most aggressive pursuers and researchers into the Earth Longzhi threat, analysed two campaigns by the group conducted between 2020 and 2022 that targeted multiple sectors across Asia.
Researchers realised the targets were attacked before by another APT41 subsidiary called Earth Baku. After checking the metadata from the most recent attacks, they discovered that most of the payloads in the new attacks shared the same watermark as that used by Earth Baku and another APT41-affiliated entity, Group CC.
APT41 is described as a “profile threat actor” that conducts Chinese state-sponsored espionage activity and financially motivated cyber-attacks. While it does not target entities within mainland China, they have targeted Tibet-based organisations. Following a 2019 US grand jury indictment against two Chinese nationals alleged to be involved with the group, the FBI said APT41 “conducted supply chain attacks to gain unauthorised access to networks throughout the world, targeting hundreds of companies representing a broad array of industries.” At the time, the FBI listed 13 countries where the group had illicitly operated, including Australia.
South Pacific nations, including Fiji, are considered highly vulnerable to cybersecurity attacks, with a low level of cybersecurity maturity ill-matched against a growing threat from attackers. The danger is considered to be disruptive, that is, interfering with infrastructure, and also economic, with financial systems and banks considered at risk.
Suva-based chairman of the Software Factory recently scored Fiji’s cyber defence architecture four out of ten, telling a government cybersecurity committee that local organisations and government departments needed to upgrade their cyber defences.
Earlier this year, Fiji’s communication minister, Manoa Kamikamica told an Australian Information Industry Association conference that Fiji was investing in its cyber defences and building cyber awareness. “We are reviewing our national cybersecurity strategy to strengthen our national framework and further encourage investment in IT,” he said.
