Kaspersky Lab discovered the rare LuminousMoth cyber-espionage campaign in Southeast Asia. Experts say that, unlike most traditional complex targeted attacks, in this case the list of victims is not limited to dozens of organizations, it is much broader. So, among the victims – about a hundred organizations in Myanmar and 1400 in the Philippines, including government agencies.
The attacks have continued since at least October 2020. Primary infection occurs through phishing emails with a link to Dropbox, which downloads an archive in RAR format containing an infected Word document. Once injected into the system, the malware tries to spread to other devices on the network via removable USB drives. If he finds such a medium, then he creates hidden directories on it and transfers there all files from the victim’s device, including malicious ones.
In addition, LuminousMoth has two more tools in its arsenal that are used in the next stage of the attack. One is a fake version of Zoom, and the other is stealing cookies from the Chrome browser. After fixing itself in the system, the malware continues to transmit data to its command and control server. In attacks carried out in Myanmar, these servers often impersonate well-known news sources.
Researchers believe that the campaign is behind the well-known Chinese-speaking group HoneyMyte, which collects geopolitical and economic data in Asia and Africa.
“This campaign confirms the trend we have seen over the past year: Chinese-speaking groups are creating new malicious implants, and their activity is growing. There is a high probability that attackers will continue to develop their tools, so we will monitor further developments of LuminousMoth, ”comments Maria Namestnikova, head of the Russian research center at Kaspersky Lab.