China APT: LuminousMoth

Recently, malware campaigns executed by a threat actor associated with the Chinese government have been identified. This actor conducts large-scale attacks followed by targeted activities involving deployment of malware and data exfiltration operations.

The campaign, which dates back at least to October of the previous year, targets Myanmar and the Philippines.

Analysts who identified the activities have designated the threat actor as “LuminousMoth“.

LuminousMoth employs a unique set of tools and propagation methods, including malware replication across all connected USB devices, though their offensive infrastructure shares components with another notorious Chinese hacker group known as Mustang Panda, also tracked as HoneyMyte, TA416, or RedDelta.

Mustang Panda TTPs

Typical behavior and compromise chain attributed to Mustang Panda:

1. Connection to a Google Drive folder, obfuscated using the “link shortener” service goo.gl.
   When accessed, the Google Drive link retrieves a zip file containing a .lnk file masqueraded as a .pdf file (double extension).
   This file redirects the user to a Windows Scripting Component (.wsc) hosted on a microblogging page controlled by the adversary.
   MUSTANG PANDA has previously used the microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks against NGOs focused on Mongolia.
2. The .lnk file uses a VBScript component to retrieve a PDF (decoy) file and a PowerShell script from the attacker-controlled web page.
3. The PowerShell script creates a Cobalt Strike stager payload and an XOR-encoded beacon.

Additional Similarities

Among the criminal groups, notable similarities are evident in tactics, techniques, and procedures (TTPs) employed beyond the use of Cobalt Strike beacons. Last month, Avast attributed to Mustang Panda a supply chain attack against the website of the office of the president of Myanmar, demonstrating specific interest in the same regions targeted by LuminousMoth. The two APTs also share use of DLL sideloading, as well as employment of dumping techniques for Chrome authentication cookies. Through Cyber Threat Intelligence analysis, we have tracked consistent patterns in their operational infrastructure.

The targets, in both cases, are a selection of high-profile government entities within the two targeted countries: the Ministry of Transport and Communications of Myanmar and the Development Assistance Coordination Unit of the country’s department for foreign economic relations. 

Attack Structure

Compromises begin with spear-phishing emails sent to targets. The email contains a link to download a rar archive via Dropbox related to Covid-19. Inside are a pair of malicious DLLs, masqueraded as .DOCX files. Following initial infection, the DLLs are loaded by two executables to propagate across removable devices and launch Cobalt Strike beacons.

In some cases in Myanmar attacks, the initial infection was followed by deployment of a signed and fraudulent version of the popular Zoom application. The installation was actually malware that enabled attackers to exfiltrate files from compromised systems. The valid certificate is owned by Founder Technology, a subsidiary of the Founder Group of Peking University, based in Shanghai.

Assessment

As observed, there are differences between the attack chains of LuminousMoth and MustangPanda. However, it is highly probable that this new operator is nonetheless the same Mustang Panda implementing new techniques in an effort to obscure its operational footprint by reorganizing and deploying new malware variants. Attribution confidence remains high when infrastructure and targeting patterns are considered holistically across campaigns.