Chinese APT Group Attacks Several Government Entities Using Weaponized Dropbox Download Links

Recently, the security researchers of Kaspersky Lab have detected a very new cyberattack campaign in Southeast Asia, and the campaign was named as LuminousMoth and it has been conducting such attacks since October 2020.

This campaign is quite different from other popular and advanced targeted attacks. Here, the main point of this campaign that grabs the attention is the number of victims, which is not restricted to dozens of organizations, but many times more extensive.

Origins of The Infections

This campaign was one of the rare among all, and the security experts have claimed that for this reason, they found two infection vectors that were being used by LuminousMoth. 

However, the initial vector is the one that provides the threat actors with primary access to a system; and here, the hackers use spear-phishing emails with malicious Dropbox download links.

On the other side, the second infection vector comes into action once the first vector did its work successfully. Soon the malware attempts to spread all over the system by affecting the removable USB drives. 

But, the security analysts from Kaspersky stated that the attackers can implement their attacks, with the help of two components, the initial one is a malicious library called “version.dll” which gets sideloaded by “igfxem.exe,” and a Microsoft Silverlight executable which is formerly named “sllauncher.exe.” 

Exploitation Tools

There are two exploitation tools mainly used by the threat actors, and they are:-

• Fake Zoom application: This tool is being used by the threat actors to infect the systems in Myanmar, however, its main purpose is to scan the infected systems for different files along with the predefined extensions and later exfiltrate them to a C2 server. In this attack, the threat actors make use of a very popular Zoom video chat software.

• Chrome Cookies Stealer: It’s another exploitation tool that is being extended by the threat actors on the infected systems that generally steal cookies from the Chrome browser. However, this particular tool needs a local username as an argument, because it is required to access two files that are carrying the data that has to be stolen.

Targets

After the investigation, the security researchers concluded that LuminousMoth has infected a large number of targets, and the targets mainly belong from the Philippines and Myanmar.

But, after investigating the campaign the analysts pronounced that they have found nearly 100 victims in Myanmar, and 1,400 victims in the Philippines. Apart from this, the campaign also attacked victims from government agencies as well.

Command & Control

In command and control communication, the experts discovered that the threat actors have contacted many IP addresses directly, as well as communicating with the domain “updatecatalogs.com.”

• 103.15.28[.]195
• 202.59.10[.]253

While apart from this they also found some other domains as well, and here they are mentioned below:-

• mmtimes[.]net
• mmtimes[.]org
• 7daydai1y[.]com
• irrawddy[.]com
• mopfi-ferd[.]com

Connections to HoneyMyte

After a proper investigation, the cybersecurity researchers came to know that this camping has a lot of similarities with the HoneyMyte threat group. The things that make a connection between LuminiousMoth and HoneyMyte is that both the group has the same targeting and TTP.

Moreover, both the group has the same usage of DLL side-loading and Cobalt Strike loaders, as well as the component to LuminousMoth’s Chrome cookie stealer, was also seen in earlier HoneyMyte activity.

However, the security researchers affirmed that both groups have implemented activity of the same nature, in both cases, a large-scale attack has taken place, which has affected a wide perimeter of targets. But still, it is not clear yet, whether both the groups are connected or not.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.