LuminousMoth APT

LuminousMoth APT Description

Researchers have uncovered a large-scale attack operation that they attribute to a new APT (Advanced Persistent Threat) group named LuminousMoth. APT-related campaigns are typically highly targeted with the cybercriminals tailoring the infection chain and the deployed malware threats to the specific entity they are aiming to breach. However, the LuminousMoth attack has produced an unusually high number of victims - around 100 in Myanmar and close to 1400 in the Philippines. It is more than likely that the actual targets of the campaign represent a small subset of the detected victims. The hackers seem to be after government entities from both countries as well as abroad.

The Infection Chain

The initial infection vector appears to be a spear-phishing email containing a Dropbox download link leading to a corrupted file. The file pretends to be a Word document but is a RAR archive containing two compromised DLL libraries and two legitimate executables tasked with side-loading the DLLs. The archives used bait names such as 'COVID-19 Case 12-11-2020(MOTC).rar' and 'DACU Projects.r01.' In Myanmar, MOTC stands for the Ministry of Transport and Communications, while DACU is the Development Assitance Coordination Unit. 

After the initial breach of the system, LuminousMoth employs a different method for moving sideways. The threat scans the compromised device for removable media such as USB drives. It then creates hidden directories to store select files. 

Post-Exploitation Tools

On certain chosen targets, LuminousMoth escalated the attack by deploying additional threatening tools. Infosec researchers noticed a stealer threat that impersonates the popular video conference application Zoom. To add legitimacy, the disguise has a valid digital signature and certificate. Once initiated, the stealer scans the victim's system for specific file extensions and exfiltrates them to a Command-and-Control server (C2, C&C).

The threat actor also delivered a Chrome cookie stealer to specific systems. The tool needs the local username to access the two files containing the data it is after. After running some tests, the cybersecurity researchers determined that the goal of this tool is to hijack and then impersonate the Gmail sessions of the targets.

It should be noted that the LuminousMoth APT extensively uses a Cobalt Strike beacon as an end-stage payload.

Is LuminousMoth a New Threat Actor?

It seems that the LuminousMoth attack campaign bears some striking similarities to operations carried out by an already established Chinese-related APT named HoneyMyte (Mustang Panda). Both groups display similar target criteria and TTPs (Tactics, Techniques, and Procedures) that include side-loading and the deployment of Cobalt Strike loaders. In addition, the Chome cookie stealer seen in the LuminousMoth attack resembles a corrupted component of past HoneyMyte activities. Overlaps in infrastructure deliver additional links between the groups. At the moment it cannot be conclusively determined if LuminousMoth is indeed a new hacker group or if it is a revamped version of HoneyMyte equipped with a new arsenal of malware tools.