Since mid-2021, we have now been investigating a quite elusive menace actor known as Earth Lusca that targets organizations globally through a marketing campaign that makes use of conventional social engineering strategies akin to spear phishing and watering holes. The group’s main motivation appears to be cyberespionage: the record of its victims consists of excessive worth targets akin to authorities and academic establishments, spiritual actions, pro-democracy and human rights organizations in Hong Kong, Covid-19 analysis organizations, and the media, amongst others. However, the menace actor additionally appears to be financially motivated, because it additionally took purpose at playing and cryptocurrency firms.
Previous analysis into the group’s actions attributed it to different menace actors such because the Winnti group on account of using malware akin to Winnti, however regardless of some similarities, we contemplate Earth Lusca a separate menace actor (we do have proof, nevertheless, that the group is a part of the “Winnti cluster,” which is comprised of various teams with the identical origin nation and share features of their TTPs).
The technical brief gives an in-depth have a look at Earth Lusca’s actions, the instruments it employs in assaults, and the infrastructure it makes use of.
Infrastructure and working mannequin
Earth Lusca’s infrastructure can primarily be grouped into two “clusters.” The first cluster is constructed utilizing digital personal servers (VPS), rented from a service supplier, which are used for the group’s watering gap and spear phishing operations, along with performing as a command-and-control (C&C) server for malware.
The second cluster is made up of compromised servers operating previous, open-source variations of Oracle GlassFish Server. Interestingly, this second cluster performs a distinct function in an Earth Lusca assault – it acts as a scanning instrument that searches for vulnerabilities in public-facing servers and builds visitors tunnels inside the goal’s community. Like the primary cluster, it additionally serves as a C&C server, this time for Cobalt Strike.
It’s attainable that the group used parts of its infrastructure (notably the scanning features) for diversion as a way to trick safety employees into specializing in the flawed components of the community.
Figure 1. An overview of Earth Lusca’s infrastructure
Social Engineering and Vulnerability Exploitation strategies
The group has three main assault vectors, two of which contain social engineering. The social engineering strategies will be damaged down into spear phishing emails and watering gap web sites.
Our telemetry information exhibits Earth Lusca sending spear phishing emails containing malicious hyperlinks to considered one of their targets – a media firm. These hyperlinks comprise information which are disguised both as paperwork that might be of curiosity to the potential goal, or as opinion kinds allegedly coming from one other media group. The consumer finally downloads an archive file containing both a malicious LNK file or an executable – finally resulting in a Cobalt Strike loader.
In one incident, the group injected a malicious script into the compromised HR system of a goal group. This script was designed to indicate a social engineering message – sometimes a Flash replace popup or a DNS error (observe that Adobe discontinued Flash Player on the finish of December 2020) that then instructed the customer to obtain a malicious file that turned out to be a Cobalt Strike loader.
Figure 2. Fake set up pop-up
The third assault vector utilized by Earth Lusca is the exploitation of vulnerabilities that exist within the public-facing purposes – akin to Microsoft Exchange ProxyShell and Oracle GlassFish – of its targets. Once these are completed, Earth Lusca is free to carry out its post-exploitation routines that embrace set up of instruments akin to Cobalt Strike and Acunetix (we focus on the post-exploitation routines intimately within the technical transient).
Malware utilized by Earth Lusca
Earth Lusca employs a number of malware and different hacking instruments in its arsenal. A standard theme we have seen in its assault vectors is using CobaltStrike loaders – and certainly, Cobalt Strike is without doubt one of the group’s most popular instruments on account of its big selection of post-exploitation capabilities. In this case, the Cobalt Strike shellcode that’s dropped into the goal system is encoded through XOR together with a corresponding key.
In addition to Cobalt Strike, Earth Lusca additionally makes use of malware such as Doraemon, a backdoor named after Japanese manga that has two C&C settings: a main one for one for IP or DNS, and a public web site URL containing encrypted or clear textual content C&C IP addresses that’s used for persistence.
The group employs well-known malware akin to ShadowPad and Winnti, in addition to different instruments akin to cryptocurrency miners as a part of its operations. A extra complete record of those malware and instruments are discovered within the technical transient.
Security greatest practices will help defend in opposition to Earth Lusca assaults
Evidence factors to Earth Lusca being a highly-skilled and harmful menace actor primarily motivated by cyberespionage and monetary achieve. However, the group nonetheless primarily depends on tried-and-true strategies to entrap a goal. While this has its benefits (the strategies have already confirmed to be efficient), it additionally signifies that safety greatest practices, akin to avoiding clicking on suspicious e-mail/web site hyperlinks and updating essential public-facing purposes, can reduce the influence – and even cease – an Earth Lusca assault.
Read our technical brief to be taught extra about Earth Lusca and its actions.
Trend Micro Inc. revealed this content material on 17 January 2022 and is solely answerable for the knowledge contained therein. Distributed by Public, unedited and unaltered, on 17 January 2022 12:34:03 UTC.
Technical evaluation developments TREND MICRO
|Short Term||Mid-Term||Long Term|
Income Statement Evolution
|Number of Analysts||12|
|Last Close Price||
5 700,00 JPY
|Average goal value||
6 983,64 JPY
|Spread / Average Target||22,5%|