A recently discovered threat actor from China has been spotted launching large-scale attacks, but then carefully picking selected targets to infect and exfiltrate data from.
Codenamed LuminousMoth, this new APT has been actively operating since October 2020 and has been focused mostly on Myanmar, but recently it is spreading its reach in the Philippines. The large-scale malware campaign launched by this group has made an impression on security researchers not only with its dynamic, but also with its selectiveness when it comes to its targets.
As per the reports, the LuminousMoth virus spreads by replicating itself to portable USB drives attached to the system, which results in a high infection rate. However, only selected targets are being attacked with the malware.
Researchers explain the recent successes of the malware in the Philippines with the presence of another, undiscovered infection vector in the country, as well as the desire of the attackers to go after targets in the Philippines.
Professionals who are keeping a close eye on the threat are noting that LuminousMoth attackers are using a different tool set and malware dissemination strategies. There are a number of ways to get infected with the LuminousMoth virus.
The malicious campaign starts with sending an email that seems to be a spear-phishing email to the recipient. A Dropbox download link is typically included in the email, which is fetching a RAR archive. There are dangerous DLLs hidden in that archive that are camouflaged as a .DOCX file. As soon as the system is compromised, two new executables are downloaded along the DLLs, as well as a copy of Cobalt Strike, which are then installed into portable devices.
Something unusual that has been spotted is that, in some instances, the initial infection is followed by deployment of a signed, but fraudulent, version of the popular Zoom software. This infection vector is mostly seen in the Myanmar attacks.
As per the available details, initially, the LuminousMoth threat actors targeted big organizations in Myanmar, where over 100 victims were registered. The malicious campaign ramped up in the Philippines, where researchers discovered almost 1,400 victims of the attacks.
The true targets, however, were a tight selection of high-profile government entities both in Myanmar and the Philippines. Myanmar’s Ministry of Transport and Communications and the country’s Development Assistance Coordination Unit of the Foreign Economic Relations Department were some of the victims that researchers discovered to be listed on archives included within two malicious DLL libraries.