Russian cybersecurity firm Kaspersky on Wednesday, July 14, said it had discovered “a rare, widescale advanced persistent threat (APT) campaign against users in Southeast Asia, most notably Myanmar and the Philippines.”
“APT actors are known for the frequently targeted nature of their attacks. Typically, they will handpick a set of targets that in turn are handled with almost surgical precision, with infection vectors, malicious implants and payloads being tailored to the victims’ identities or environment,” Kaspersky explained in a blog post.
“It’s not often we observe a large-scale attack conducted by actors fitting this profile, usually due to such attacks being noisy, and thus putting the underlying operation at risk of being compromised by security products or researchers.”
The attacks have hit about 100 victims in Myanmar, and 1,400 in the Philippines, some of which were said to be government entities and high-profile organizations.
The phishing emails sent by the campaign contain a Dropbox download link. When clicked, the link downloads a RAR file disguised as a Word document containing the payload. The malware can then spread through USB drives, in which it creates hidden directories, attempting to move all of the victim’s files.
Once inside a machine, the malware can also exfiltrate data and send it to the malware actor’s command and control servers. It has also been found to create a fake version of the Zoom app, and steal cookies from the Chrome browser.
The activity by the group called LuminousMoth, has been going on since at least October 2020. The firm said that the campaign initially targeted Myanmar, but has since shifted their focus to the Philippines.
LuminousMoth was found to have links with the HoneyMyte group, also known as Mustang Panda, a “well-known, long-standing” Chinese-speaking cyber gang that historically has been interested in “gathering geopolitical and economic intelligence in Asia and Africa,” Kaspersky said in a separate press statement.
“We’re seeing increased activity by Chinese-speaking threat actors this past year, and this most likely won’t be the last of LuminousMoth. In addition, there’s a high chance the group will begin to further sharpen its toolset. We’ll be keeping an eye out for any future developments,” said Paul Rascagneres, senior security researcher with Kaspersky’s Global Research and Analysis Team.
Kaspersky advised basic cybersecurity hygiene training, cybersecurity audits of networks, and the installation of anti-APT solutions. – Rappler.com