A suspected Chinese state-sponsored actor breached a digital certificate authority as well as government and defense agencies located in different countries in Asia as part of an ongoing campaign since at least March 2022.
Symantec, by Broadcom Software, linked the attacks to an adversarial group it tracks under the name Billbug, citing the use of tools previously attributed to this actor. The

A suspected Chinese state-sponsored actor breached a digital certificate authority as well as government and defense agencies located in different countries in Asia as part of an ongoing campaign since at least March 2022.

Symantec, by Broadcom Software, linked the attacks to an adversarial group it tracks under the name **Billbug**, citing the use of tools previously attributed to this actor. The activity appears to be driven by espionage and data-theft, although no data is said to have been stolen to date.

Billbug, also called Bronze Elgin, Lotus Blossom, Lotus Panda, Spring Dragon, and Thrip, is an advanced persistent threat (APT) group that is believed to operate on behalf of Chinese interests. Primary targets include government and military organizations in South East Asia.

Attacks mounted by the adversary in 2019 involved the use of backdoors like Hannotog and Sagerunex, with the intrusions observed in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam.

Both the implants are designed to grant persistent remote access to the victim network, even as the threat actor is known to deploy an information-stealer known as Catchamas in select cases to exfiltrate sensitive information.

"The targeting of a certificate authority is notable, as if the attackers were able to successfully compromise it to access certificates they could potentially use them to sign malware with a valid certificate, and help it avoid detection on victim machines," Symantec researchers said in a report shared with The Hacker News.

"It could also potentially use compromised certificates to intercept HTTPS traffic."

The cybersecurity company, however, noted that there is no evidence to indicate that Billbug was successful in compromising the digital certificates. The concerned authority, it said, was notified of the activity.

An analysis of the latest wave of attacks indicates that initial access is likely obtained through the exploitation of internet-facing applications, following which a combination of bespoke and living-off-the-land tools are employed to meet its operational goals.

This comprises utilities such as WinRAR, Ping, Traceroute, NBTscan, Certutil, in addition to a backdoor capable of downloading arbitrary files, gathering system information, and uploading encrypted data.

Also detected in the attacks were an open source multi-hop proxy tool called Stowaway and the Sagerunex malware, which is dropped on the machine via Hannotog. The backdoor, for its part, is equipped to run arbitrary commands, drop additional payloads, and siphon files of interest.

"The ability of this actor to compromise multiple victims at once indicates that this threat group remains a skilled and well-resourced operator that is capable of carrying out sustained and wide-ranging campaigns," the researchers concluded.

"Billbug also appears to be undeterred by the possibility of having this activity attributed to it, with it reusing tools that have been linked to the group in the past."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Say China State-backed Hackers Breached a Digital Certificate Authority

The team uses a secret technique to locate AlphaBay’s server. But just as the operation heats up, the agents have an unexpected run-in with their target.

The Hunt for the Dark Web’s Biggest Kingpin, Part 4: Face to Face

Tenda AC1200 Router Model W15Ev2 V15.11.0.10(1576) was discovered to contain a stack overflow via the setWanPpoe function. This vulnerability allows attackers to cause a Denial of Service (DoS) via crafted overflow data.

CVE-2022-42060: Vulnerabilities in Tenda's W15Ev2 AC1200 Router

In Tenda AC1200 Router model W15Ev2 V15.11.0.10(1576), there exists a command injection vulnerability in the function formSetFixTools. This vulnerability allows attackers to run arbitrary commands on the server via the hostname parameter.

CVE-2022-40847: Vulnerabilities in Tenda's W15Ev2 AC1200 Router

Automating security for OT infrastructure can help organizations combat a rising volume of cyber threats in an era when security professionals are in short supply.

Security teams are tasked with the challenge of processing large amounts of operational technology (OT) and IT security telemetry. To make this easier, Swimlane announced a low-code security automation platform to create a centralized system of record and control point.

The platform integrates with other OT security providers, including Nozomi Networks, Dataminr and 1898 & Co, Swimlane says. This allows OT security teams to unify threat detection and response by providing access to intelligence and telemetry from both the OT and IT environments.

"This cyber-physical threat response saves organizations crucial minutes when connecting with staff members who might be affected by a natural disaster, accident, or social unrest, or other types of physical risk," explains Cody Cornell, co-founder and chief strategy officer of Swimlane. 

For example, integrating automation with Nozomi Networks will allow industrial and critical infrastructure security operations teams to maintain continuous asset compliance and mitigate the risks of attacks from combined OT and IT entry points. The Dataminr integration provides automated processes to mitigate physical risks and warn at-risk employees as soon as possible to ensure their safety. And the integration with 1898 & Co allows industrial and critical infrastructure entities to add managed threat detection services that are specifically designed to address OT-specific challenges, Cornell says. That includes detecting both OT and IT-born threats, machine-speed threat validation and scoring, and rapid remediation of threats using OT response methods.

**Turning to Automation as Threats Pile Up**

"Cyber threats have increased in frequency and severity, which will only worsen with time," Cornell notes. "SecOps teams in industrial organizations are regular targets for cyberattacks due to the importance of their systems and infrastructure."

With the limited resources at their disposal, security teams working in organizations that rely on OT struggle to keep up with new threats. The industrial cybersecurity sector has also been attempting to address the OT security skills gap over the past few years.

"The need for security professionals to understand and safeguard cybersecurity and deal with the issues posed by antiquated and unsupported legacy processes and control systems makes the talent shortage in the OT security sector particularly more severe," Cornell adds.

The combination of factors - a cybersecurity skills shortage in OT and an overwhelming amount of OT and IT data and telemetry to analyze - creates a situation that could benefit from automation. In the OT sector, automation could play a critical role in defending against rising cyber threats in a more effective and efficient manner.

Automation has become a must-have technology for security operations: The US Executive Order on Improving the Nation's Cybersecurity from May 2021 highlighted multiple areas where automation should be adopted to manage the ever-increasing volume of threats and talent shortage.

**Going Low-Code to Transcend SOAR**

Legacy security orchestration, automation, and response (SOAR) products have earned a reputation of being rigid and unapproachable for the average security professional, Cornell notes. With security automation at the center, organizations could maximize the productivity of their existing security investments and staff while gaining greater visibility into critical assets, accelerating their response to incidents targeting their critical infrastructure, and improving overall team efficiency.

"Traditionally, OT systems were completely segregated from internet-facing technology," Cornell says.

However, as critical infrastructure operators increasingly seek to carry out digital transformation initiatives, these systems are being modernized and connected to IT systems. The result is an expanded attack surface as previously isolated OT systems, once relatively immune to cyberattacks, are now internet-accessible and high-value targets for threat actors.

"Mission success depends on secure operations, but IT, OT, and IoT assets all have different characteristics, communications, behaviors -- and unique security challenges," Cornell says. "We created this ecosystem to help critical infrastructure operators take defense up a notch and reduce cyber risk with a proactive approach designed to secure their complex ecosystem of IT, OT, and IoT assets."

**Vendors Stepping up Automation Offerings**

Swimlane isn't the only company using automation to ease security pain points while managing security telemetry. Security operations platform ThreatQuotient recently released ThreatQ TDR Orchestrator, which is designed to address industry needs for simpler implementation and more efficient operations.

In June, Snowflake released a tool to help underpin cybersecurity capabilities including SIEM, compliance automation, and vulnerability management. The workload offers customers access to cybersecurity capabilities including SOAR, compliance automation, and vulnerability management through connected applications that run on top of their existing Snowflake environments.

Earlier in the year, Sophos acquired SOC.OS, a spinoff company of BAE Systems Digital Intelligence with a software-as-a-service (SaaS) solution for automating the monitoring and triaging the growing volume of data and alerts across organizations.

Swimlane Introduces Low-Code, Automation Approach to OT Security

BatLoader has spread rapidly to roost in systems globally, tailoring payloads to its victims.

A dangerous new malware loader with features for determining whether it's on a business system or a personal computer has begun rapidly infecting systems worldwide over the past few months.

Researchers at VMware Carbon Black are tracking the threat, dubbed BatLoader, and say its operators are using the dropper to distribute a variety of malware tools including a banking Trojan, an information stealer, and the Cobalt Strike post-exploit toolkit on victim systems. The threat actor's tactic has been to host the malware on compromised websites and lure users to those sites using search engine optimization (SEO) poisoning methods.

**Living Off the Land**

BatLoader relies heavily on batch and PowerShell scripts to gain an initial foothold on a victim machine and to download other malware onto it. This has made the campaign hard to detect and block, especially in the early stages, analysts from VMware Carbon Black's managed detection and response (MDR) team said in a report released on Nov. 14.

VMware said its Carbon Black MDR team had observed 43 successful infections in the last 90 days, in addition to numerous other unsuccessful attempts where a victim downloaded the initial infection file but did not execute it. Nine of the victims were organizations in the business services sector, seven were financial services companies, and five were in manufacturing. Other victims included organizations in the education, retail, IT, and healthcare sectors.

On Nov. 9, eSentire said its threat-hunting team had observed BatLoader's operator luring victims to websites masquerading as download pages for popular business software such as LogMeIn, Zoom, TeamViewer, and AnyDesk. The threat actor distributed links to these websites via ads that showed up prominently in search engine results when users searched for any of these software products.

The security vendor said that in one late October incident, an eSentire customer arrived at a fake LogMeIn download page and downloaded a Windows installer that, among other things, profiles the system and uses the information to retrieve a second-stage payload.

"What makes BatLoader interesting is that it has logic built into it that determines if the victim computer is a personal computer or a corporate computer," says Keegan Keplinger, research and reporting lead with eSentire’s TRU research team. "It then drops the type of malware appropriate for the situation."

**Selective Payload Delivery**

For example, if BatLoader hits a personal computer, it downloads Ursnif banking malware and the Vidar information stealer. If it hits a domain-joined or corporate computer, it downloads Cobalt Strike and the Syncro remote monitoring and management tool, in addition to the banking Trojan and information stealer.

"If BatLoader lands on a personal computer, it will proceed with fraud, infostealing, and banking-based payloads like Ursnif," Keegan says. "If BatLoader detects that it's in an organizational environment, it will proceed with intrusion tools like Cobalt Strike and Syncro."

Keegan says eSentire has observed "a lot" of recent cyberattacks involving BatLoader. Most of the attacks are opportunistic and hit anyone looking for trusted and popular free software tools. 

"To get in front of organizations, BatLoader leverages poisoned ads so that when employees look for trusted free software, like LogMeIn and Zoom, they instead land on sites controlled by attackers, delivering BatLoader."

**Overlaps With Conti, ZLoader**

VMware Carbon Black said that while there are several aspects of the BatLoader campaign that are unique, there are also several attributes of the attack chain that have a resemblance with the Conti ransomware operation. 

The overlaps include an IP address that the Conti group used in a campaign leveraging the Log4j vulnerability, and the use of a remote management tool called Atera that Conti has used in previous operations. 

In addition to the similarities with Conti, BatLoader also has several overlaps with Zloader, a banking Trojan that appears derived from the Zeus banking Trojan of the early 2000s, the security vendor said. The biggest similarities there include the use of SEO poisoning to lure victims to malware-laden websites, the use of Windows Installer for establishing an initial foothold and the use of PowerShell, batch scripts, and other native OS binaries during the attack chain.

Mandiant was the first to report on BatLoader. In a blog post in February, the security vendor reported observing a threat actor using "free productivity apps installation" and "free software development tools installation" themes as SEO keywords to lure users to download sites. 

"This initial BatLoader compromise was the beginning of a multi-stage infection chain that provides the attackers with a foothold inside the target organization," Mandiant said. The attackers used every stage to set up the next phase of the attack chain using tools such as PowerShell, Msiexec.exe, and Mshta.exe to evade detection.

Researchers Sound Alarm on Dangerous BatLoader Malware Dropper

Debian Linux Security Advisory 5278-1 - It was discovered that a buffer overflow in the _getCountedString() function of the Xorg X server may result in denial of service or potentially the execution of arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5278-1                   security@debian.org  
https://www.debian.org/security/                       Moritz Muehlenhoff  
November 13, 2022                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : xorg-server  
CVE ID         : CVE-2022-3550 CVE-2022-3551

It was discovered that a buffer overflow in the _getCountedString()  
function of the Xorg X server may result in denial of service or  
potentially the execution of arbitrary code.

For the stable distribution (bullseye), these problems have been fixed in  
version 2:1.20.11-1+deb11u3.

We recommend that you upgrade your xorg-server packages.

For the detailed security status of xorg-server please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/xorg-server

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmNxPhMACgkQEMKTtsN8  
TjYGIw//eDkQaWMUaRzlfNcFJUPkYQJot20IGvCa5UwUgNCcky13/riQ13OedOAZ  
n7ORM7vtn28v3WhQkUqO2XJ8ODT0LGKuAFuwbXOLqJd/f1bqkhAVYp0eNMmZm3wr  
CLfa8zoTM0lh4eOu5r7ecdFSd/sZ3Dy7ODwL8tuOaTrHo+rJ5epYd2xqrFxVi9NA  
EfyeycQb8LY+/OqCbpp8nUq+CpvT22Z7oNTgQpKy4ScQKLe7pqPQDO4VEkSwsBrs  
HGInGuNRMMM3uAHTTQts6tn4jK5eou24hws1fYUXSi57zTJc5jwVG75jhIjEtGOm  
/UfnEhAbUeEB+o21gP0HAxLy1F20h8Qonasvh3LH1ormzwhl8RqVR/Ny62jb79/k  
jlS4IUUQGPK8WYdbkJPrs1GFu/2quW8VWcpYRIE5b/Ylq/XsmLNotSVs29ID10Q2  
U91rimYdlTKG3UDsErFzBh6uPqNP2vWUimpPq6nRQgEfX94H2kb96cyE1EpKnDnk  
jf1+UINP4Pe2r+XPGglw9krUGWsFMIJoPohCwOsXBSNhkfOJ4bO4huOzz3C1XLy3  
9i6BIrhaZRrKASemZSGieoKQyHXfsCBN1JIsoXYqYPxIu6STvyoG4kIv8VlAylXY  
9b9F1jtO2G3zGXuVlPEwJacMh5CPKNcUJP/SgpRrcov0iop/X8U=gxG8  
-----END PGP SIGNATURE-----

Debian Security Advisory 5278-1

By Deeba Ahmed
GAM3 awards are dubbed as the Grammys of the Web3 gaming industry.
This is a post from HackRead.com Read the original post: GAM3 Awards: Leading crypto firms and influencers to honor best in Web3 gaming

The leading crypto firms and influencers have collaborated for the inaugural GAM3 Awards. Dubbed the Grammys of the Web3 gaming industry, this event will be hosted by Polkastarter Gaming. It will be held on December 15 to acknowledge the best Web3 games for 2022.

**The All-Star Jury**

Voting will be conducted by an all-star jury, including industry experts and the wider Web3 community. More than 200 Web3 games and game developers/content creators will compete in this event.

There are 16 award categories, which include the coveted Game of the Year title. The jury deciding the winners comprises Fractal founder Justin Kan, Market Across’ managing partner Itaj Elizur, Urvit Goel, Global Games at Polygon Studios’ head, Solana Foundation’s head of technology Matt Sorg, and ImmutableX’s venture and strategy director, Rachel Levin. 

With their decades-long gaming experience, former Square Enix CTO and creator of games like Sonic: Unleashed and Final Fantasy XIV Online, Yoshihisa Hashimoto, ex-Senior Director of Partnerships at Electronic Arts, Edward Chang, and senior leaders at Riot Games, Xbox Game Studios, Electronic Arts, Amazon Gaming, and Unity Technologies. Some of the senior leaders include the following.

*   Sarutobi Sasuke, Head of Partnerships at YGG
*   Dan Patterson, General Partner at Sfermion
*   Brendan Wong, CEO at Avocado DAO
*   Jesper Lindquist, Senior Manager Web3 Gaming at Animoca Brands
*   Marco van den Heuvel, Co-Founder & CEO at Merit Circle
*   David Hanson, Founder & CEO at Ultra
*   John Izaguirre, BD Director at BNB Chain
*   Abhimanyu Kumar, Co-Founder at Naavik
*   Nathan N., Co-Founder at Ancient8

The jury consists of mainstream Web3 ecosystem partners, thought leaders, and media outlets to ensure a fair voting process.

1.  The Benefits Of Blockchain In The Travel Industry
2.  What is Blockchain Gaming and its Play-to-Earn Model?
3.  The Advantages of a More Secure and Safer Blockchain
4.  How Blockchain Can Revolutionize Personal Data Storage?

**Event Details**

Polkastarter Gaming will broadcast the event on all platforms simultaneously, including its YouTube, Twitch, and Twitter channels. The event will highlight the best Web3 games. Winners of the GAM3 Awards will receive a share of $300,000 worth of rewards and will gain sponsorships from Blockchain Game Alliance, Immutable X, Machinations, Ultra, Naavik, etc. The event is organized to recognize Web3’s best games and highlight the developers’ hard work in creating quality content.

**Award Categories**

Here is the list of categories for which awards will be issued.:

Action Game, Mobile Game, Adventure Game, Casual Game, RPG, Shooter Game, Graphics, Strategy Game, Card Game, Multiplayer Game, Esports Game, Graphics, and Content Creator.

Apart from that, there will be awards for Game’s Choice, Most Anticipated Game, and People’s Choice. The company stated that new categories would be added in the next edition of the awards.

**Judgment Criteria**

It is worth noting that 90% of the decision will be decided by the jury and 10% by the community, except for Games’ Choice, the winner of which will be determined by industry game studios as they will vote for their own version of the Game of the Year. Moreover, Best Content Creator and People’s Choice awards winners will be solely determined by the community, and their votes will carry 100% weight.

Judgment criteria include core loop, accessibility, graphics, replayability factor, playing experience, fun elements, etc. Eligibility criteria entail integration and utilization of blockchain technology.

GAM3 Awards: Leading crypto firms and influencers to honor best in Web3 gaming

Quantum computing's a clear threat to encryption, and post-quantum crypto means adding new cryptography to hardware and software without being disruptive.

There is a potential dark side to quantum computing, one that is a threat to how we secure data. Back in 1994, Peter Shor developed an algorithm for factoring large numbers using a quantum computer, which could be used to break encryption. Today, RSA encryption relies on the difficulty a classical computer has with such factorization. With Shor's algorithm in mind, nation-states and nefarious actors started harvesting data packets, dreaming of a future where they would be able to decrypt those packets using a fault-tolerant quantum computer.

Currently, there are about three dozen quantum computers in the cloud. These quantum computers are error-prone and lack enough quantum bits (qubits) to run Shor's algorithm against RSA encryption. Some experts claim quantum computing will not be a threat for at least 30 years. However, those claims may be based upon outdated information and there is evidence that quantum computing will have the power to crack encryption sooner than we thought.

**Identifying Quantum Threats**

The day is coming when a quantum threat (Y2Q) to encryption becomes a reality. Y2Q proves similar to a combination of the Y2K bug and the 2014 Heartbleed attack, where it will affect almost every system on the planet and severely affect data in motion.

Y2Q affects two types of general cryptography: symmetric and asymmetric. Symmetric encryption is used for data at rest and functions like a locked box with a key. Shor's algorithm cannot attack symmetric encryption ciphers such as AES, however Grover's search algorithm can weaken it. To combat Y2Q in this situation, we can increase the symmetric key size and make it even more difficult to attack via brute force.

Data in motion on a network is protected by asymmetric encryption, which is commonly called public key cryptography, and its most prevalent example is via a cipher known as RSA. RSA is vulnerable to Shor's algorithm, allowing a quantum computer to reverse private keys and read messages. Blockchain also uses a type of public key encryption called ECC, which means the crypto economy is also threatened by quantum computing.

Preparing for Y2Q begins with conducting a post-quantum crypto (PQC) agility assessment. Crypto agility is the ability to introduce new cryptography to an organization's hardware and software without being disruptive to infrastructure. However, identifying those primary threats is not easy. It is a matter of determining what ciphers are used throughout an organization, including in third-party hardware and software. Further complicating the process is that some elements may not have a path forward for post-quantum cryptography.

**Exploring the PQC Threat and Timeline**

It may be too late to protect certain types of data. Mosca's theorem states that you must add the number of years it takes your organization to migrate to new cryptographic standards and primitives to the shelf life of your secret. For example, three years to migrate plus a regulatory requirement of 10 years of maintenance would equal 13 years.

Using the implementation example of Shor's algorithm called Toffoli-based modular multiplication, we can estimate that quantum computers will have enough power (high-fidelity qubits) to crack encryption by the end of this decade.

However, the quantum world is constantly making observations on its denizens, including qubits, which causes them to decohere and become "classical" or unable to compute with quantum algorithms. System builders must account for this noise and resolve engineering challenges to make qubits near perfect with 99.99% fidelity. We also need to run error correction, which requires sacrificing some physical qubits to create a logical, error-corrected qubit.

Qubit growth can be accelerated by using a few modest-size, quality quantum computers that work together using a technology called interconnect, which allows quantum computers to entangle qubits to behave as one quantum computer. If we get interconnect right, we could take, say, four 1,100-qubit quantum computers and instantly have a 4,400-qubit machine capable of doing damage to encryption.

IBM has a grim prediction that it will take 1,000 physical qubits to yield one error-corrected qubit. However, IonQ thinks it is closer to 16 to 1. An estimate between those two extremes indicates that if we get close to 1 million physical qubits this decade, we will quickly surpass current predictions.

NIST is aware of the looming threat and has been working to develop a new standard of PQC with ciphers to replace RSA. We expect a new standard by the end of 2024.

In May 2022, the White House released the National Security Memorandum on Promoting United States Leadership in Quantum Computing While Mitigating Risks to Vulnerable Cryptographic Systems. That memo has action demands on federal entities to be taken after NIST finalizes the new standard.

We can expect regulators and other industries in the private sector to mirror these expectations closely. Simply put, organizations must become crypto-agile and introduce hybrid PQC solutions for today's most critical data flows.

Quantum Cryptography Apocalypse: A Timeline and Action Plan

Entities located in East and Southeast Asia as well as Ukraine have been targeted at least since 2020 by a previously undocumented subgroup of APT41, a prolific Chinese advanced persistent threat (APT).
Cybersecurity firm Trend Micro, which christened the espionage crew Earth Longzhi, said the actor's long-running campaign can be split into two based on the toolset deployed to attack its victims

Entities located in East and Southeast Asia as well as Ukraine have been targeted at least since 2020 by a previously undocumented subgroup of APT41, a prolific Chinese advanced persistent threat (APT).

Cybersecurity firm Trend Micro, which christened the espionage crew **Earth Longzhi**, said the actor's long-running campaign can be split into two based on the toolset deployed to attack its victims.

The first wave from May 2020 to February 2021 is said to have targeted government, infrastructure, and healthcare industries in Taiwan and the banking sector in China, whereas the succeeding set of intrusions from August 2021 to June 2022 infiltrated high-profile victims in Ukraine and several countries in Asia.

This included defense, aviation, insurance, and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine.

The victimology patterns and the targeted sectors overlap with attacks mounted by a distinct sister group of APT41 (aka Winnti) known as Earth Baku, the Japanese cybersecurity company added.

Some of Earth Baku's malicious cyber activities have been tied to groups called by other cybersecurity firms ESET and Symantec under the names SparklingGoblin and Grayfly, respectively.

"SparklingGoblin's Tactics, Techniques and Procedures (TTPs) partially overlap with APT41 TTPs," ESET researcher Mathieu Tartare previously told The Hacker News. "Grayfly's definition given by Symantec seems to (at least partially) overlap with SparklingGoblin."

Now Earth Longzhi adds to another piece in the APT41 attack puzzle, what with the actor also sharing links to a third subgroup dubbed GroupCC (aka APT17, Aurora Panda, or Bronze Keystone).

Attacks orchestrated by the hacker group leverage spear-phishing emails as the initial entry vector. These messages are known to embed password-protected archives or links to files hosted on Google Drive that, when opened, launches a Cobalt Strike loader dubbed CroxLoader.

In some cases, the group has been observed weaponizing remote code execution flaws in publicly exposed applications to deliver a web shell capable of dropping a next-stage loader referred to as Symatic that's engineered to deploy Cobalt Strike.

Also put to use as part of its post-exploitation activities is an "all in one tool," which combines several publicly available and custom functions in one package and is believed to have been available since September 2014.

The second series of attacks initiated by Earth Longzhi follow a similar pattern, the main difference being the use of different Cobalt Strike loaders named CroxLoader, BigpipeLoader, and OutLoader to drop the red team framework on infected hosts.

The recent attacks further stand out for the use of bespoke tools that can disable security software, dump credentials using a modified version of Mimikatz, and leverage flaws in the Windows Print Spooler component (i.e., PrintNightmare) to escalate privileges.

What's more, incapacitating the installed security solutions is pulled off by a method called bring your own vulnerable driver (BYOVD), which entails the exploitation of a known flaw in the RTCore64.sys driver (CVE-2019-16098).

This is carried out using ProcBurner, a tool for killing specific running processes, while another custom malware called AVBurner is used to unregister the endpoint detection and response (EDR) system by removing process creation callbacks – a mechanism that was detailed by a security researcher who goes by the alias brsn in August 2020.

It's worth noting the outdated version of the RTCore64.sys driver, which still has a valid digital signature, has been put to use by multiple threat actors like BlackByte and OldGremlin over the past few months.

"\[Earth Longzhi's\] target sectors are in industries pertinent to Asia-Pacific countries' national security and economies," the researchers said. "The activities in these campaigns show that the group is knowledgeable on red team operations."

"The group uses social engineering techniques to spread its malware and deploy customized hack tools to bypass the protection of security products and steal sensitive data from compromised machines."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac