Introduction
In 2022, we discovered a hacking group that has been targeting telecom, technology, and media sectors in Vietnam since 2020. We track this particular group as Earth Zhulong. We believe that Earth Zhulong is likely related to the Chinese-linked hacking group 1937CN based on similar code in the custom shellcode loader and victimology.
In this post, we’ll introduce Earth Zhulong’s new tactics, techniques, and procedures (TTPs) in the recent campaign and the evolution of their custom shellcode loader, “ShellFang”. Through the TTPs, we see that they are sophisticated and meticulous as malicious actors. They adopt multiple approaches to obfuscate their tools and eliminate their footprint after finishing the operation. As a result, we have exerted greater effort to hunt down and analyze their tools to fully understand the attack scenario. In addition, we have verified three different variants of ShellFang were used from 2020 to 2022. The latest variant demonstrates that threat actors have adopted more obfuscation techniques, including abusing exception mechanisms to obfuscate the execution flow of programs and Windows API hashing.
In early 2022, we further discovered that Earth Zhulong abused group policy objects (GPO) to install loaders and launch Cobalt Strike on their target hosts. Several hack tools were also found on the infected hosts, including tunneling, port scanning, a Go-lang based backdoor and an information stealer used to harvest internal information.
Compared to old variants, code structure in the latest variant is dramatically different and there are few shared features
Read more