The newcomer bears monitoring, analysts said, given that it could just be Mustang Panda trying on new clothes, trying to rub out its tracks by re-tooling and coming up with new, unknown malware implants. What is clear: LuminousMoth is a new campaign coming from a Chinese-speaking actor that echoes Mustang Panda/HoneyMyte in that it spreads in large-scale attacks, but in actuality only targets a few of them. It’s unclear whether the “sheer volume” of the attacks is due to the malware replicating through removable devices or whether it’s caused by something else, such as being spread on watering-hole websites or via a supply-chain attack, the researchers said.
#Cobalt strike beacon hx flagging download
After that initial infection, the second vector kicks in, with the DLLs being sideloaded by two executables to spread to removable devices and also download a copy of Cobalt Strike. That’s where a pair of malicious DLLs can be found, masquerading as a.
#Cobalt strike beacon hx flagging rar
The email contains a Dropbox download link that fetches a RAR archive. Boobytrapped USBs Spread Fake Zoomįirst, the campaign sends a spear-phishing email to the victim. Those were two of the names researchers found on archives inside two malicious DLL libraries. They represented a selection of high-profile government entities within the two targeted countries and abroad: Two such were Myanmar’s Ministry of Transport and Communications and the country’s Development Assistance Coordination Unit of the Foreign Economic Relations Department.
The true targets were only a subset of that. The campaign ramped up in the Philippines, where they found nearly 1,400 targeted victims. Luminous Moth was first going after important organizations in Myanmar, where researchers came across about 100 victims. They noted that the two APTs also share the TTPs of using DLL side-loading, as well as both using forms of stealers going after Chrome user-authentication cookies.Ĭonnection between HoneyMyte and LuminousMoth C2s. “The proximity in time and common occurrence in Myanmar of both campaigns could suggest that various TTPs of HoneyMyte may have been borrowed for the activity of LuminousMoth,” Kaspersky analysts surmised. For its part, Avast last month attributed a supply-chain attack against the Myanmar president’s office website to Mustang Panda, showing that Mustang Panda was focusing on the same region as LuminousMoth. There are also similarities in the tactics, techniques and procedures (TTPs) used by the two APTs: Namely, the deployment of the Cobalt Strike beacon as a payload, as was also noted by ESET last month. The LuminousMoth actors are using a unique set of tools and malware propagation methods, but their network infrastructure shares parts with another notorious Chinese hacking group named Mustang Panda, a.k.a. Then again, the higher hit rate in the Philippines could boil down to another, undetected infection vector being used solely in the Philippines, or it could simply be that the attackers are more keenly interested in going after targets there. “It is likely that the high rate of infections is due to the nature of the LuminousMoth attack and its spreading mechanism, as the malware propagates by copying itself to removable drives connected to the system,” according to the writeup. Namely, it copies itself to removable USB drives. The analysts suggested one possible rationale for the splashiness: It could have to do with how LuminousMoth spreads. Of course, that’s a downside for hackers, given that it blows their cover. The noise of a high-volume attack is a red flag for researchers. “It’s not often we observe a large-scale attack conducted by actors fitting this profile, usually due to such attacks being noisy, and thus putting the underlying operation at risk of being compromised by security products or researchers.” -Kaspersky researchers What is atypical about the LuminousMoth campaign is that it’s not only showy, it’s also targeted with “almost surgical precision,” they said. The campaign, going back to at least last October and targeting first Myanmar and now mostly the Philippines, is both large-scale and highly active. Kaspersky researchers said in a Wednesday writeup that they’ve named the advanced threat actor (APT) LuminousMoth.
Researchers have spotted a weird one: A newly identified threat actor linked to China that’s first mass-attacking, but then cherry-picking, just a few targets to hit with malware and data exfiltration.