"New Hacking Group Uses Custom 'Symatic' Cobalt Strike Loaders"

'Earth Longzhi,' a previously unknown Chinese Advanced Persistent Threat (APT) hacking group, targets organizations in East Asia, Southeast Asia, and Ukraine. The threat actors have been active since at least 2020, planting persistent backdoors on victims' systems using customized versions of Cobalt Strike loaders. According to a new Trend Micro report, Earth Longzhi shares techniques, tactics, and procedures (TTPs) with 'Earth Baku,' both of which are considered subgroups of the state-backed hacking group APT41. The report by Trend Micro shows two Earth Longzhi campaigns, the first of which took place between May 2020 and February 2021. During that time, the hackers targeted several Taiwanese infrastructure companies, a Chinese bank, and a Taiwanese government organization. The hackers used the custom Cobalt Strike loader 'Symatic,' which has a sophisticated anti-detection system, in this campaign. It is capable of removing Application Programming Interface (API) hooks from 'ntdll.dll,' obtaining raw file content, and replacing the in-memory ntdll image with an unmonitored copy. To obfuscate the chain, it can also spawn a new process for process injection and masquerade the parent process. Furthermore, it has the ability to inject a decrypted payload into the newly created process. This article continues to discuss the new Earth Longzhi hacking group using custom Symatic Cobalt Strike loaders.

Bleeping Computer reports "New Hacking Group Uses Custom 'Symatic' Cobalt Strike Loaders"