Kaspersky experts discovered advanced persistent threats (APT) on a large scale. The target is thousands of users in Southeast Asia, some even from the government.
Kaspersky found this threat campaign spread across Southeast Asia. Especially in Myanmar and the Philippines, there were about 100 victims and 1,400 victims, respectively, and some of them were government entities.
LuminousMoth Takes Action
This activity group is called LuminousMoth, and has a government target since last October 2020. At first, the group focused on Myanmar and then shifted its focus to the Philippines.
The group’s initial foothold was via spear-phishing email at the Dropbox download link. Upon clicking, the link will download a RAR archive that is equated to a Word document and contains a malicious payload.
The malware will try to infect other hosts via a removable USB drive. If the drive is found, the malware creates a hidden directory on the drive and then removes all of the victim’s files with a malicious executable.
There are two tools post-Exploit and Used for lateral movement. Namely consists of a fake version of Zoom and others steal cookies from the Chrome browser. Once on the victim’s device, LuminousMoth will continue to extract data to the command and control (C2) server.
Kaspersky – HoneyMyte
Kaspersky linked this group to a Chinese-speaking threat actor named HoneyMyte. The group has a keen interest in gathering geoploitic and economic intelligence in Asia and Africa.
“This new set of activity may reflect a trend we have seen throughout this year: Chinese-speaking threat actors are re-equipping their arsenals and producing new and unknown malware implants,” said Mark Kaspersky Senior Security Researcher with Global Research and Analysis Team (Great) Kaspersky. Lechtik, in his statement quoted Friday (27/7/2021).
Great security researcher Aseel Kayal said large-scale attacks are actually quite rare. But he found it interesting that he witnessed more attacks in the Philippines than in Myanmar.
It’s likely, he said, due to the use of USB drives as a spreading mechanism or possibly other known infection vectors in the Philippines.
While another Great Senior Researcher, Paul Rascagnere said for LuminousMoth this action will not be the last time.
“We saw an increase in activity by Chinese-speaking threat actors last year, and this will most likely not be LuminousMoth’s last action. Also there is a high possibility that the group will start sharpening its tools further. We will continue to monitor the development of this group in the future. said Paul.
Read now: Facts About Ransomware