LuminousMoth APT hits 1 500 targets in Asia

Read time 3min 00sec

Researchers at Kaspersky have discovered a rare, wide-scale advanced persistent threat (APT) campaign, targeting some 1 500 victims, among them, government entities.

The malefactors typically gain an initial foothold in the system through a spear-phishing email with a Dropbox download link. Once clicked, this link downloads a RAR archive disguised as a Word document that contains the malicious payload.

Once downloaded on one system, the malware spreads to other hosts through removable USB drives - a seldom-used attack vector. If a drive is found, the malware creates hidden directories on the drive, where it then moves all of the victim’s files, along with the malicious executables.

“In some cases, this was followed by deployment of a signed, but fake version of the popular application Zoom, which was in fact malware enabling the attackers to exfiltrate files from the compromised systems,” the researchers say.

“The sheer volume of the attacks raises the question of whether this is caused by a rapid replication through removable devices or by an unknown infection vector, such as a watering hole or a supply chain attack.”

This cluster of activity, named LuminousMoth, has been carrying out cyber espionage attacks against government entities since at least October last year.

Altough its attention was initially focused on Myanmar, the threat actors have since shifted their attentions to the Philippines.

New, unknown malware implants

Kaspersky attributes LuminousMoth to the HoneyMyte threat group, a well-known, long-standing, Chinese-speaking threat actor, with medium to high confidence. HoneyMyte is primarily interested in gathering geopolitical and economic intelligence in Asia and Africa.

Mark Lechtik, senior security researcher with the Global Research and Analysis Team (GReAT) at Kaspersky, says this new cluster of activity could point to a trend the security giant has witnessed over the course of this year - Chinese-speaking threat actors re-tooling and producing new and unknown malware implants.

“The massive scale of the attack is quite rare. It’s also interesting that we’ve seen far more attacks in the Philippines than in Myanmar. This could be due to the use of USB drives as a spreading mechanism or there could be yet another infection vector that we’re not yet aware of being used in the Philippines,” adds Aseel Kayal, another security sesearcher with GReAT.

Kaspersky has seen increased activity by Chinese-speaking threat actors over the past year, and suspects this won’t be the last of LuminousMoth.

“In addition, there’s a high chance the group will begin to further sharpen its toolset. We’ll be keeping an eye out for any future developments,” comments Paul Rascagneres, senior security researcher with GReAT.

Preventing APTs

To protect from APT campaigns like LuminousMoth, Kaspersky experts recommends providing employees with basic cyber security hygiene training, as many targeted attacks start with phishing or other social engineering techniques.

In addition, it says to conduct a cyber security audit of all networks and remediate any weaknesses discovered in the perimeter or inside the network. “Install anti-APT and EDR solutions, enabling threat discovery and detection, investigation and timely remediation of incidents capabilities.”

Next, Kaspersky recommends providing theSOC team with access to the latest threat intelligence and regularly upskill them with professional training.

See also