At a glance.
- APT41 subgroup Earth Longzhi uses new techniques to bypass security products.
- Iranian cyberespionage group MuddyWater using Managed Service Provider tools.
- Wipers reappear in Ukrainian networks.
- Meta observes and disrupts new NodeStealer malware campaign.
- City of Dallas moderately affected by ransomware attack.
- Indictment, takedown in dark web carder case.
APT41 subgroup Earth Longzhi uses new techniques to bypass security products.
Researchers at Trend Micro have discovered a new campaign by the Earth Longzhi subgroup of APT41. The attacks use a relatively novel technique the researchers call “stack rumbling.” Stack rumbling uses Image File Execution Options (IFEO)–typically a denial-of-service method–to disable security products. “In addition, we’ve noticed that this campaign installs drivers as kernel-level services by using Microsoft Remote Procedure Call (RPC) instead of using general Windows application programming interfaces (APIs). This is a stealthy way to evade typical API monitoring,” the researchers write. Trend Micro notes that the campaign tends to exploit public-facing applications, Internet information services, and Microsoft Exchange servers. Earth Longzhi is also using forged Windows Defender binaries to launch a new variant of Croxloader and “SPHijacker” which can disable security products. Earth Longzhi has been seen targeting government, healthcare, technology, and manufacturing organizations in the Philippines, Thailand, Taiwan, and Fiji. The researchers assess that Vietnam and Indonesia are probably the next countries Earth Longzhi will target.