Researchers have discovered a cyber-espionage campaign that is spying on targets and is deploying attacks for financial benefits. The group was identified to be chinese bound Earth Lusca and has been spying targets for more than two years now.
The targeted bodies include,
- Gambling companies in Mainland China
- Government institutions in Taiwan, Thailand, Philippines, Vietnam, United Arab Emirates,Mongolia, and Nigeria
- Educational institutions in Taiwan, Hong Kong, Japan, and France
- News media in Taiwan, Hong Kong, Australia, Germany, and France
- Pro-democracy and human rights political organizations and movements in Hong Kong
- Covid-19 research organizations in the United States
- Telecom companies in Nepal
- Religious movements that are banned in Mainland China
- Various cryptocurrency trading platforms
The primary intention is to collect intelligence from these entities. The group has also been involved in orchestrated attacks against gambling companies, cryptocurrency platforms, and other bodies from where the financial benefits are reaped.
The government espionage group involved in financially motivated attacks has become a pattern lately. iran based threat actors have been breaching VPN devices around the world, targeting important entities for spying, data extraction and selling the info on the dark web.
The Earth Lusca Group and APT41 have a lot in common including the attack vector and tactics, thus making APT41 the major threat actor in the world right now.
Trend Micro’s report shows that the Earth Lusca Group primarily uses three methods to attack an entity,
- Leveraging and exploiting unpatched vulnerabilities in public facing servers and web apps.
- Orchestrating spear phishing attacks with links to nefarious websites.
- Watering hole attacks to lure visitors and deploy malware via the websites.
Spear phishing and watering hole attacks are very common techniques, but they are sometimes difficult to track for the attacker. Once the backdoor is triggered by an unsuspecting user, the threat actor needs to know about it to process the next steps in the attack.
On the compromised server being used as a watering hole, we found a mystery CNA file written in the scripting language “Aggressor Script,” which allows users to modify and extend the Cobalt Strike client.
In the CNA script, when a new beacon is initialized, the client information is extracted and sent to a remote server, thereby notifying the attacker. The script was modified from another popular script, which sends a message via a public service called “ServerChan.” The threat actor modified the endpoint of the API and slightly reduced the amount of information sent. It is highly likely that the script enhanced the attacker’s agility regarding the attack sequence
The researchers have seen Cobalt Strike as the common maneuver to infect hosts by deploying it on the target environment. Cobalt Strike is often used by security professionals to simulate attacks but recently been used by threat actors for their modus operandi.
Once the Earth Lusca actors are over the preliminary steps, they start deploying other payloads on the devices. Which includes,
- Winnti backdoor
- Doraemon backdoor
- Behinder Web shell
- AntSowrd web shell
- FunnySwitch backdoor
- ShadowPad backdoor
The cryptominer deployment is a brilliant maneuver to divert the detection to monetary benefits and hide the fact that Earth Lusca is behind the intelligence and data, the cyber-espionage campaign will be complete stealth while the cryptominer will be the dummy that gets caught instead.
Indicators of Compromise