According to Kaspersky researchers, an advanced persistent threat campaign was launched against hundreds of victims in Southeast Asia, including government entities in the Philippines and Myanmar.
This APT activity, which is tracked as LuminousMoth, has been previously linked with medium to high confidence to the HoneyMyte threat group.
In their report, researchers cite various evidence, such as network infrastructure connections such as command-and-control servers and similar techniques and procedures used by the group to deploy Cobalt Strike beacons.
Both APTs are known to launch large-scale attacks against a big number of targets initially, and eventually they will try to hit just a select few.
According to Kaspersky, the attacks affected over 1,400 individuals in the Philippines and over 100 victims in Myanmar since at least least October 2020.
“The massive scale of the attack is quite rare. It’s also interesting that we’ve seen far more attacks in the Philippines than in Myanmar,” Kaspersky GReAT security researcher Aseel Kayal said. “This could be due to the use of USB drives as a spreading mechanism or there could be yet another infection vector that we’re not yet aware of being used in the Philippines.”
The spear-phishing emails contain links that take victims to Dropbox to trick users into opening infected RAR archives camouflaged as Word documents.
Once installed, the malware tries to infect other systems via USB drive. It then steals files from the infected machines. Once the malware detects removable USB drives, it then creates hidden directories and copies in them the files stolen from the victim.
The LuminousMoth malware can also perform various post-exploitation activities, such as spreading fake apps like a fake Zoom app and stealing Chrome browser cookies. The threat actors then exfiltrate the collected data to their servers.
“This new cluster of activity might once again point to a trend we’ve been witnessing over the course of this year: Chinese-speaking threat actors re-tooling and producing new and unknown malware implants,” Kaspersky GReAT senior security researcher Mark Lechtik added.
Details of the indicators of compromise can be found in the Kaspersky’s report.