Kaspersky: LuminousMoth spearphishing campaign hit 1,500 targets in Asia

Security researchers think HoneyMyte is behind the advanced persistent threat that has mostly targeted government entities.

istock-471043674.jpg

Image: iStock/jauhari1

Security researchers at Kaspersky have identified a widespread cyberespionage campaign that targets government offices in Asia; the cybersecurity attack starts with a spearphishing email. The security experts have identified 100 victims in Myanmar and 1,400 in the Philippines.

More about cybersecurity

Kaspersky analysts explained the LuminousMoth attack on the SecureList blog and suggested that the lopsided numbers between the two countries could be due to an additional and unknown infection vector used only in the Philippines. 

The initial malicious email includes a Dropbox link. If an individual clicks on the link, this action downloads a RAR archive disguised as a Word document that carries the malicious payload, according to Kaspersky’s analysis. Once the malware makes it to a machine, it exfiltrates data to a command and control server. The malware also tries to infect other machines by spreading through USB drives. If a drive is available, the malware creates hidden directories on the portable device where it moves all of the target’s files. 

The malware has two other tactics to allow lateral movement. The first is a signed, fake version of Zoom, and the second steals cookies from the Chrome browser. 

Aseel Kayal, security researcher with Kaspersky’s Global Research and Analysis Team (GReAT), said in a press release that the scale of the attack is rare.

“It’s also interesting that we’ve seen far more attacks in the Philippines than in Myanmar,” Kayal said. “This could be due to the use of USB drives as a spreading mechanism or there could be yet another infection vector that we’re not yet aware of being used in the Philippines.”

Kaspersky security researchers believe with medium to high confidence that the HoneyMyte threat group is behind the attack. The group is a Chinese-speaking threat actor and seems to be interested in gathering geopolitical and economic intelligence in Asia and Africa. 

Mark Lechtik, senior security researcher with Kaspersky’s GReAT team, said in a press release that this new activity seems to support the trend of Chinese-speaking threat actors re-tooling and producing new and unknown malware implants.

Kaspersky recommends taking these actions to defend against these attacks:

  • Providing basic cybersecurity hygiene training that covers phishing and other social engineering techniques.
  • Conducting a cybersecurity audit of all networks and remediating weaknesses discovered on the perimeter or inside the network.
  • Installing anti-APT and EDR solutions to allow threat discovery and detection, investigation and timely remediation of incidents.
  • Provide the security team with the latest threat intelligence. 
  • Train security team members regularly. 

Also see