Security experts from Kaspersky has identified a cyber espionage campaign on large scale which is targeting government entities from Southeast Asian countries like Philippines, Myanmar,

Experts believe that the on going campaign named “LuminousMoth” has been linked with the China based APT group HoneyMyte which is otherwise known to be Mustang Panda.

“This large-scale and highly active campaign was observed in South East Asia and dates back to at least October 2020, with the most recent attacks seen around the time of writing. Most of the early sightings were in Myanmar, but it now appears the attackers are much more active in the Philippines, where there are more than 10 times as many known targets.” reads the blog post.

Source: Kaspersky

Experts identified that this LuminousMoth campaign uses two infection vectors , on case one, The threat actor sends a spear-phishing email to the victim with the dropbox link which leads to a RAR archive that masquerades as a Word document with a DOCx extension. The archive contains 2 malicious dll’s along with two legitimate executable which sideloads the dll’s. Kaspersky has found archives similar to this with government entities name .

On case 2, “The second infection vector comes into play after the first one has successfully finished, whereby the malware tries to spread by infecting removable USB drives. This is made possible through the use of two components: the first is a malicious library called “version.dll” that gets sideloaded by “igfxem.exe”, a Microsoft Silverlight executable originally named “sllauncher.exe”. The second is “wwlib.dll”, another malicious library sideloaded by the legitimate binary of “winword.exe”. The purpose of “version.dll” is to spread to removable devices, while the purpose of “wwlib.dll” is to download a Cobalt Strike beacon.” reads the blog post.

Security experts also observed the signed, but fake version of Zoom application which also a data stealing malware.

CyberWorkx news readers can checkout the IOC’s of this campaign from this link.

Source: Kaspersky.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s