Hacking

China-linked LuminousMoth APT targets entities from Southeast Asia

LuminousMoth: Kaspersky uncovered an ongoing and large-scale APT campaign that targeted government entities in Southeast Asia, including Myanmar and the Philippines.

Kaspersky experts uncovered an ongoing and large-scale cyber espionage campaign, tracked as LuminousMoth, aimed at government entities from Southeast Asia, including Myanmar and the Philippines government entities.

The LuminousMoth campaign has been linked by the experts to a China-linked APT group tracked as HoneyMyte.

Researchers pointed out that this campaign outstands for its large-scale nature, a modus operating that is usually not associated with APT groups who surgically hit high-profile targets.

The campaign dates back to at least October 2020, but experts pointed out that the threat actors were most active recently.

They are also both known to launch wide-scale attacks against significant numbers of targets with the end goal of hitting just a small subset matching their interests.

The researchers spotted approximately 100 victims in Myanmar, while the number of victims in the Philippines was at least 1,400. Anyway experts speculate that the actual targets were only a subset of these that included high-profile organizations, namely government entities located both within those countries and abroad.

Threat actors were able to spread to other hosts through the use of USB drives, experts also noticed the deployment of a signed, but fake version of the application Zoom, which was a data stealing malware.

Kaspersky experts identified two infection vectors used by LuminousMoth, one leverages spear-phishing messages containing a Dropbox download link, the second one used once gained access to the target network, leverages on removable USB drives.

The Dropbox link leads to a RAR archive that masquerades as a Word document by setting the “file_subpath” parameter to point to a filename with a .DOCX extension.

“The archive contains two malicious DLL libraries as well as two legitimate executables that sideload the DLL files. We found multiple archives like this with file names of government entities in Myanmar, for example “COVID-19 Case 12-11-2020(MOTC).rar” or “DACU Projects.r01” (MOTC is Myanmar’s Ministry of Transport and Communications, and DACU refers to the Development Assistance Coordination Unit of the Foreign Economic Relations Department (FERD) in Myanmar).” reads the analysis published by Kaspersky.

The C2 infrastructure includes domains impersonating news outlets to evade detection.

“LuminousMoth represents a formerly unknown cluster of activity that is affiliated to a Chinese-speaking actor. As described in this report, there are multiple overlaps between resources used by LuminousMoth and those sighted in previous activity of HoneyMyte. Both groups, whether related or not, have conducted activity of the same nature – large-scale attacks that affect a wide perimeter of targets with the aim of hitting a few that are of interest.” concludes.

The report includes a list of indicators of compromise (IOCs) for the attacks spotted by Kaspersky.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

New Triada Trojan comes preinstalled on Android devices<gwmw style="display:none;"></gwmw>

A new Triada trojan variant comes preinstalled on Android devices, stealing data on setup, warn…

2 hours ago

New advanced FIN7’s Anubis backdoor allows to gain full system control on Windows

FIN7 cybercrime group has been linked to Anubis, a Python-based backdoor that provides remote access…

10 hours ago

U.S. CISA adds Apache Tomcat flaw to its Known Exploited Vulnerabilities catalog<gwmw style="display:none;"></gwmw>

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apache Tomcat flaw to its Known Exploited…

18 hours ago

Apple backported fixes for three actively exploited flaws to older devices

Apple backports three critical vulnerabilities actively exploited in attacks against older iOS and macOS models.…

23 hours ago

Spike in Palo Alto Networks scanner activity suggests imminent cyber threats

Hackers are scanning for vulnerabilities in Palo Alto Networks GlobalProtect portals, likely preparing for targeted…

24 hours ago

Microsoft warns of critical flaw in Canon printer drivers

Microsoft’s offensive security team discovered a critical code execution vulnerability impacting Canon printer drivers.  Researchers…

2 days ago