Kaspersky researchers have revealed an ongoing and large-scale APT campaign with hundreds of victims from Southeast Asia, including Myanmar and the Philippines government entities. Tracked as LuminousMoth linked with HoneyMyte Chinese speaking Threat actors
The links found include network infrastructure connections such as command-and-control servers used by both groups and similar TTPs when deploying Cobalt Strike beacon payloads.
While analyzing LuminousMoth’s cyberespionage attacks against several Asian government entities that started since October 2020. Belived to be spread through USB drives to a larger extent spreading the threat Vector.
The threat actors use spear-phishing emails with malicious Dropbox download links that deliver RAR archives camouflaged as Word documents and bundling malware payloads to gain access to their targets systems. After execution, the malware tries to make its way onto other systems via removable USB drives together with files stolen from already compromised computers.
LuminousMoth’s malware also features post-exploitation tools that the operators can use for later movement within their victims’ networks: one of them being hidden in plain sight in the form of a fake Zoom app and the other designed to steal Chrome browser cookies
The threat actors exfiltrate data collected from infected devices to their C2 servers which, in some cases, were impersonating news outlets to evade detection.
Once downloaded, the malware attempts to infect other hosts by spreading through removable USB drives. If a drive is found, the malware creates hidden directories on the drive where it then moves all of the victim’s files, along with the malicious executables.
This new cluster of activity might once again point to a trend we’ve been witnessing over the course of this year: Chinese-speaking threat actors re-tooling and producing new and unknown malware implants. IOC can be found here on the link.