Trend Micro security researchers has uncovered improved tactics, techniques, and procedures (TTPs) on a new campaign attributed to an APT Group known as Earth Longhzi.

The threat group’s effort is directed at organizations with locations in Taiwan, Thailand, the Philippines, and Fiji, according to the official report.  Upon monitoring of the CERT-PH, It was discovered that this was the first time the threat group had targeted businesses in Fiji.


A. Nature of Attack

The new campaign leverages vulnerable public-facing web applications, and servers such as Internet Information Services (IIS) servers, and Microsoft Exchange servers to install Behinder, a well-known web shell.

Once the exploitation on the targeted system is successful, adversaries use this to gather network information and install additional malware and hacking tools to it.

Based on their investigation, the malware is being loaded via DLL sideloading technique wherein MpClient.dll was disguised as a legitimate DLL file and launched through legitimate Windows Defender binaries, MpDlpCmd.exe and MpCmdRun.exe.

Two different types of malware have been seen loaded using the technique. 

1. Croxloader

Earth Longzhi’s new campaign launched Windows Defender binaries as a system service. The new Croxloader variant, disguised as MpClient.dll, was subsequently loaded. Once launched, Croxloader reads the payload named MpClient.bin and decrypts its content. The new variant is almost identical to the older ones, except that it uses a different decryption algorithm. The algorithm used in the original variant is (SUB 0xA) XOR 0xCC, while the algorithm for the new variant is (ADD 0x70) XOR 0xDD. The final payload is identified as a Cobalt Strike beacon.

2. SPHijacker

SPHijacker, a new tool designed to disable security products, adopts two approaches to achieve this purpose. One approach terminates the security product process by using a vulnerable driver, zamguard64.sys, published by Zemana (vulnerability designated as CVE-2018-5713). Meanwhile, another approach disables process launching by using a new technique that we named stack rumbling, which is a type of DoS attack that abuses undocumented MinimumStackCommitInBytes values in the IFEO registry key.


B. Indicator of Compromise

The new campaign leverages vulnerable public-facing web applications, and servers such as Internet Information Services (IIS) servers, and Microsoft Exchange servers to install Behinder, a well-known web shell.

Download site194[.]31[.]53[.]128
Download site198[.]13[.]47[.]158


C. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • Proactively monitor and secure identified systems and devices for any suspicious/malicious activities. Security personnel may check the listed Indicator of Compromise(IoCs) to detect any malicious activities related to the campaign.
  • Regularly check and apply the latest patch of software, especially to public-facing applications.
  • For additional information, kindly refer to the official report