Security News > 2022 > November > New hacking group uses custom 'Symatic' Cobalt Strike loaders
A previously unknown Chinese APT hacking group dubbed 'Earth Longzhi' targets organizations in East Asia, Southeast Asia, and Ukraine.
The threat actors have been active since at least 2020, using custom versions of Cobalt Strike loaders to plant persistent backdoors on victims' systems.
According to a new Trend Micro report, Earth Longzhi has similar TTP as 'Earth Baku,' both considered subgroups of the state-backed hacking group tracked as APT41.
In these more recent attacks, Earth Longzhi deployed a new set of custom Cobalt Strike loaders that used different decryption algorithms and additional features for performance and effectiveness.
One variant of the BigpipeLoader follows a very different payload loading chain, using DLL sideloading on a legitimate app to run the loader and inject Cobalt Strike on memory.
After Cobalt Strike runs on the target, the hackers use a custom version of Mimikatz to steal credentials and use the 'PrintNighmare' and 'PrintSpoofer' exploits for privilege escalation.