![]() ![]() The goal for any Cobalt Strike attack is the deployment of a post-exploitation payload, known as a “Beacon,'' onto a compromised endpoint. Looks like ESET doesn't even trust their competitor. docx file via Winword.Īll samples were discovered by Dr.Web. As such, it could have detected it trying to open the. Note that Eset sets a deep behavior inspection hook i.e.dll, into cmd.exe. Let's refer to a specific example using this prior posted sample. That is the malware won't perform any malicious activities. Also if the malware is run in a local sandbox, VM, etc., that doesn't prove anything since malware these days increasingly deploy anti-sandbox, VM, etc. The only way to fully known if the malware is not actually detected at some stage is to run it. It needs be noted that Eset sample detection at VT needs to be taken "with a grain of salt" as I have stated numerous times in this forum.Īll Eset employs protection-wise at VT is static signature detection for the most part. ĭue to the lack of response, I felt it necessary to highlight these samples here. ![]() The tracking numbers for those reports are, ,, ,, ,, and. Additionally, most samples remain undetected. I intended to report these via your email channel, but my recent submissions on, , and received no feedback. I hope ESET can consider enhancing signatures to address such threats more effectively. Given the frequency of these misses, it's alarming. Below are VT links for some of the undetected samples: Trend Micro has observed several programs developed by the attackers, "we collected multiple hacking tools used for privilege escalation (PrintNightmare and PrintSpoofer), credential dumping (custom standalone Mimikatz), and defense evasion (disablement of security products).I've noticed that many CobaltStrike backdoor samples seem to bypass ESET's detection. Earth Longzhi operatives prefer to develop their own tools from open-source projects. During post-exploitation activity typically consists of installing loaders to set up the environment for the deployment of Cobalt Strike and other custom hacking tools. ![]() For their entry vector, Earth Longzhi exploited public-facing applications for remote code execution (RCE) and distributed phishing emails containing malicious archive files or links. The sectors targeted have included industries in academics, aviation, defense, government, healthcare, infrastructure, and insurance. This watermark and public key combination is also used by Earth Baku and GroupCC, which are also believed to be subgroups of APT41." Earth Longzhi appears to have been active since 2020, and their campaigns have primarily targeted East and Southeast Asia entities. "After checking all the metadata of the Cobalt Strike payloads, we found most payloads shared the same watermark, 426352781, and public key 9ee3e0425ade426af0cb07094aa29ebc. Trend Micro has observed several programs developed by the attackers, "we collected multiple hacking tools used for privilege escalation (PrintNightmare and PrintSpoofer), credential dumping (custom standalone Mimikatz), and defense evasion (disablement of security products)."Ī new subgroup to Chinese state-sponsored espionage group, APT41 has been identified by security researchers from Trend Micro as 'Earth Longzhi.' The attribution was made from observing multiple campaigns with specific Cobalt Strike loaders. Earth Longzhi Another Subgroup to APT41 Category: Threat Actor Activity | Industries: Academic, Aviation, Defense, Government, Healthcare, Infrastructure, Insurance | Level: Tactical | Source: Trend MicroĪ new subgroup to Chinese state-sponsored espionage group, APT41 has been identified by security researchers from Trend Micro as 'Earth Longzhi.' The attribution was made from observing multiple campaigns with specific Cobalt Strike loaders. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |