Earth Zhulong: Familiar Patterns Target Southeast Asian Firms

Introduction

In 2022, we discovered a hacking group that has been targeting telecom, technology, and media sectors in Southeast Asia since 2020. We track this particular group as Earth Zhulong. We believe that Earth Zhulong is likely related to the Chinese-linked hacking group 1937CN based on similar code in the custom shellcode loader and victimology.

In this post, we’ll introduce Earth Zhulong’s new tactics, techniques, and procedures (TTPs) in the recent campaign and the evolution of their custom shellcode loader, “ShellFang”. Through the TTPs, we see that they are sophisticated and meticulous as malicious actors. They adopt multiple approaches to obfuscate their tools and eliminate their footprint after finishing the operation. As a result, we have exerted greater effort to hunt down and analyze their tools to fully understand the attack scenario. In addition, we have verified three different variants of ShellFang were used from 2020 to 2022. The latest variant demonstrates that threat actors have adopted more obfuscation techniques, including abusing exception mechanisms to obfuscate the execution flow of programs and Windows API hashing.

In early 2022, we further discovered that Earth Zhulong abused group policy objects (GPO) to install loaders and launch Cobalt Strike on their target hosts. Several hack tools were also found on the infected hosts, including tunneling, port scanning, a Go-lang based backdoor and an information stealer used to harvest internal information.

Compared to old variants, code structure in the latest variant is dramatically different and there are few shared features between old and the latest variant. However, we found the relationship during the long-term investigation and finally correlated old variants with the latest one. We believe the relationship found in this research could bring this notorious hacking group back to public sight and the findings here will be helpful to future research on hacker groups which are active in Southeast Asia.

Initial Access – Lure document

Back in 2020, through the command and control (C&C) domain observed in our investigation, we found a lure document with a malicious macro. Once the victim opens the document, the embedded macro will be executed, injecting the shellcode into rundll32.exe. We have identified the embedded shellcode as a Cobalt Strike shellcode which will be used to build connection to a remote hacking machine. We believe this lure document is one of the approaches used by the threat actors to compromise their targets.

Read More HERE