A Chinese Advanced Persistent Threats (APT) group is spreading fake Zoom software to spy on targets in Southeast Asia.
The group, dubbed LuminousMoth by Kaspersky, focuses on cyber espionage and information theft from high profile targets.
Dating back to at least October 2020, around 100 victims have been detected in Myanmar and nearly 1,400 have been recorded in the Philippines. However, these infection rates may not tell the whole story, as researchers believe only a small subset of these numbers were of interest to APT and were exploited further.
The real targets of LuminousMoth, in particular, are government agencies in these two countries and abroad.
According to the researchers, the preliminary rate of infection may be due to the initial attack vector and the mechanisms of propagation of LuminousMoth, deemed “noisy” and unusual for an APT to adopt.
The APT begins by sending spear phishing emails containing Dropbox download links to a .RAR archive, named with political or COVID-19 themes. This file contains two malicious .DLL files which can then extract and deploy malicious executables to an infected system.
Once this infection step is complete, LuminousMoth will download a Cobalt Strike tag and side-load two malicious libraries designed to establish persistence and copy the malware to all removable storage drives connected to a victimized system.
In the cases noted by Kaspersky, the threat actors then deployed a fake Zoom app, software that became a lifeline – alongside Microsoft Teams and others – for many companies forced to move away for a while. the COVID-19 pandemic.
The software, signed by an organization in Shanghai, is actually used to exfiltrate files of interest to LuminousMoth. Any file found with predefined extensions is copied and transferred to a command and control server (C2).
LuminousMoth will also search for cookies and credentials, including those used for Gmail accounts.
“During our test, we created a Gmail account and were able to duplicate our Gmail session using stolen cookies,” Kaspersky explains. “We can therefore conclude that this post-exploitation tool is dedicated to hacking and impersonating the Gmail sessions of targets.”
LuminousMoth and HoneyMyte have adopted similar tactics in campaigns, including C2 overlaps, .DLL sideloading, Cobalt Strike beacon deployment, and similar cookie theft features.
“Both groups, whether related or not, have carried out activities of a similar nature – large-scale attacks that affect a wide range of targets with the aim of hitting a few that are of interest,” he said. said the researchers.
Prior and related coverage
Do you have any advice? Contact us securely via WhatsApp | Call +447 713 025 499, or Keybase: charlie0