Researchers from Kaspersky have reported that hundreds of individuals from South East Asia, including Myanmar and the government of the Philippines, are continuously and extensively targeted by advanced persistent threats (APT) activities.
In the analysis of the cyber-espionage attacks by LuminousMoth against a variety of Asian authorities that began from at least October 2020, analysts of Kaspersky found 100 victims in Myanmar and 1400 in the Philippines.
This APT activity cluster, identified by Kaspersky as LuminousMoth, is associated with the HoneyMyte Chinese-speaker Threat Group with medium to high confidence.
Links discovered, included network infrastructure connections such as command-and-control servers for the deployment of Cobalt Strike beacon payloads by groups and related tactical, techniques, and procedures (TTP). They are also reported to launch large-scale attacks on a substantial population of targets, aimed at impacting only a tiny subset of people that match their interests.
"The massive scale of the attack is quite rare. It's also interesting that we've seen far more attacks in the Philippines than in Myanmar," Kaspersky GReAT security researcher Aseel Kayal said. "This could be due to the use of USB drives as a spreading mechanism or there could be yet another infection vector that we're not yet aware of being used in the Philippines,” he further added.
The threat actors are using spear-phishing emails with malicious links from Dropbox which distributes camouflaged RAR archives like Word documents and bundling malware payloads for accessing the systems they are being targeted.
The malware attempts to move into other systems through removable USB drives, along with the stolen files from previously hacked PCs, after it is carried out on the victim's device.
The malware from Luminous Moth includes post operating tools that operators may utilize on their victim's networks for subsequent movement: one is disguised in the shadow of a fake Zoom software, while the other is meant to steal browser cookies from Chrome.
Threat actors exfiltrate data from compromised devices to their command and control servers (C2), which in some situations have been used to circumvent identification by news outlets.
The malware tries to infect other systems by distributing detachable USB drives once downloaded from one system. If a drive is discovered, the malware creates hidden folders on the drive where all victim data and harmful executables are moved.
"This new cluster of activity might once again point to a trend we've been witnessing over this year: Chinese-speaking threat actors re-tooling and producing new and unknown malware implants," Kaspersky GReAT senior security researcher Mark Lechtik added.