Trend Micro researchers reported that , Since mid-2021, we’ve been looking into a rather elusive threat actor known as Earth Lusca, who targets organisations all over the world with a campaign that employs traditional social engineering techniques like spear phishing and watering holes.
Trend Micro telemetry data show that Earth Lusca staged attacks against entities that could be of strategic interest to the Chinese government, such as
- Gambling companies in Mainland China
- Government institutions in Taiwan, Thailand, Philippines, Vietnam, United Arab Emirates, Mongolia, and Nigeria
- Educational institutions in Taiwan, Hong Kong, Japan, and France
- News media in Taiwan, Hong Kong, Australia, Germany, and France
- Pro-democracy and human rights political organizations and movements in Hong Kong
- COVID-19 research organizations in the U.S.
- Telecom companies in Nepal
- Religious movements that are banned in Mainland China, and
- Various cryptocurrency trading platforms.
Earth Lusca’s attack paths are trying to exploit vulnerabilities in public-facing applications such as Microsoft Exchange ProxyShell and Oracle GlassFish Server exploits.
The cybersecurity firm identified the group as a component of the larger China-based Winnti cluster, which refers to a collection of linked groups rather than a single discrete entity focused on intelligence gathering and intellectual property theft.
The infection chains result in the deployment of Cobalt Strike such as Doraemon, ShadowPad, Winnti, FunnySwitch and web shells like AntSword and Behinder.
Cobalt Strike is a full-featured that began as a valid remote access tool designed for use by red teams in penetration testing. However, in recent years, it has emerged as one of the preferred tools in a threat actor’s arsenal, as well as the primary method of converting a foothold into a hands-on intrusion.
Earth Lusca appears to be a highly skilled and dangerous threat actor motivated primarily by cyberespionage and financial gain. The group continues to rely on tried-and-true techniques to entrap a target.
Finally the researchers concluded that , “this has advantages (the techniques have already been proven to be effective, it also means that security best practises, such as avoiding clicking on suspicious email/website links and updating critical public-facing applications, can mitigate or even prevent an Earth Lusca attack.”