Trend Micro researchers spotted an elusive threat actor, called Earth Lusca, that targets organizations worldwide via spear-phishing and watering hole attacks.
According to the security firm, the group is financially motivated, its cyberespionage campaign hit high value targets such as government and educational institutions, religious movements, pro-democracy and human rights organisations in Hong Kong, Covid-19 research organisations, gambling and cryptocurrency companies, and the media.
Trend Micro researchers speculate the group operates under the China-linked Winnti umbrella.
The Winnti group was first spotted by Kaspersky in 2013, but according to the researchers the gang has been active since 2007.
The experts believe that under the Winnti umbrella there are several APT groups, including Winnti, Gref, PlayfullDragon, APT17, DeputyDog, Axiom, BARIUM, LEAD, PassCV, Wicked Panda, Group 72, Blackfly, and APT41, and ShadowPad.
The APT group targeted organizations in various industries, including the aviation, gaming, pharmaceuticals, technology, telecoms, and software development industries.
The researchers grouped the Earth Lusca’s infrastructure into two “clusters. The first cluster was set up using rented virtual private servers (VPS), it was employed in watering hole and spear-phishing attacks.
The second cluster is composed of compromised servers running vulnerable versions of Oracle GlassFish Server. The second cluster was used to perform scanning for vulnerabilities in public-facing servers and builds traffic tunnels within the target’s network. Both clusters served as a C&C server.
“Our telemetry data shows Earth Lusca sending spear phishing emails containing malicious links to one of their targets — a media company. These links contain files that are disguised either as documents that would be of interest to the potential target, or as opinion forms allegedly coming from another media organisation.”reads the analysis published by Trend Micro. “The user eventually downloads an archive file containing either a malicious LNK file or an executable — eventually leading to a Cobalt Strike loader.”
The threat actors were observed deploying Cobalt Strike in the infected networks, along with a set of additional malware and web shells. The group also used other tools such as cryptocurrency miners as part of its operations.
In one of the attacks analyzed by the researchers, the threat actors injected a malicious script into the compromised HR system of a target organisation. This script shows a social engineering message, such as a Flash update popup or a DNS error, and attempts to trick the victim into downloading a malicious file deploy a Cobalt Strike loader.
“Evidence points to Earth Lusca being a highly-skilled and dangerous threat actor mainly motivated by cyberespionage and financial gain. However, the group still primarily relies on tried-and-true techniques to entrap a target,” concludes the analysis. “While this has its advantages (the techniques have already proven to be effective), it also means that security best practices, such as avoiding clicking on suspicious email/website links and updating important public-facing applications, can minimize the impact — or even stop — an Earth Lusca attack.”
(SecurityAffairs – hacking, Earth Lusca)