China-linked LuminousMoth APT targets entities from Southeast Asia

LuminousMoth: Kaspersky uncovered an ongoing and large-scale APT campaign that targeted government entities in Southeast Asia, including Myanmar and the Philippines.

Kaspersky experts uncovered an ongoing and large-scale cyber espionage campaign, tracked as LuminousMoth, aimed at government entities from Southeast Asia, including Myanmar and the Philippines government entities.

The LuminousMoth campaign has been linked by the experts to a China-linked APT group tracked as HoneyMyte.

Researchers pointed out that this campaign outstands for its large-scale nature, a modus operating that is usually not associated with APT groups who surgically hit high-profile targets.

The campaign dates back to at least October 2020, but experts pointed out that the threat actors were most active recently.

They are also both known to launch wide-scale attacks against significant numbers of targets with the end goal of hitting just a small subset matching their interests.

The researchers spotted approximately 100 victims in Myanmar, while the number of victims in the Philippines was at least 1,400. Anyway experts speculate that the actual targets were only a subset of these that included high-profile organizations, namely government entities located both within those countries and abroad.

Threat actors were able to spread to other hosts through the use of USB drives, experts also noticed the deployment of a signed, but fake version of the application Zoom, which was a data stealing malware.

Kaspersky experts identified two infection vectors used by LuminousMoth, one leverages spear-phishing messages containing a Dropbox download link, the second one used once gained access to the target network, leverages on removable USB drives.

The Dropbox link leads to a RAR archive that masquerades as a Word document by setting the “file_subpath” parameter to point to a filename with a .DOCX extension.

“The archive contains two malicious DLL libraries as well as two legitimate executables that sideload the DLL files. We found multiple archives like this with file names of government entities in Myanmar, for example “COVID-19 Case 12-11-2020(MOTC).rar” or “DACU Projects.r01” (MOTC is Myanmar’s Ministry of Transport and Communications, and DACU refers to the Development Assistance Coordination Unit of the Foreign Economic Relations Department (FERD) in Myanmar).” reads the analysis published by Kaspersky.

The C2 infrastructure includes domains impersonating news outlets to evade detection.

“LuminousMoth represents a formerly unknown cluster of activity that is affiliated to a Chinese-speaking actor. As described in this report, there are multiple overlaps between resources used by LuminousMoth and those sighted in previous activity of HoneyMyte. Both groups, whether related or not, have conducted activity of the same nature – large-scale attacks that affect a wide perimeter of targets with the aim of hitting a few that are of interest.” concludes.

The report includes a list of indicators of compromise (IOCs) for the attacks spotted by Kaspersky.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]