A Chinese advanced persistent threat group is spreading a fake Zoom app to users in South East Asia. Tracked as LuminousMoth by Kaspersky, the group is mainly focused on cyberespionage and information theft targeting high-profile individuals.
Over the past couple of years, around 100 victims have been reported in Myanmar and over 1,400 in the Philippines. Only a small subset of these victims are believed to have been exploited by the APT. These are the government agencies that are prime targets for LuminousMoth.
The researchers noted that the high spread of the virus was due to the unusual, “noisy” attack vector used by LuminousMoth. The first step of the APT’s attack chain is spear-phishing emails that contain links to .RAR archives. Two malicious .DLL files then pull and deploy executables loaded with malicious code.
Once the infection has been successfully completed, LuminousMoth will install a couple of malicious libraries and a Cobalt Strike beacon. These will then copy the malware onto removable storage drives.
Kaspersky noted the cases where the attackers used a fake Zoom app, which many businesses were forced to adopt to go remote during the COVID-19 pandemic.
The software, signed by an organization in Shanghai, is used to exfiltrate various types of files, including cookies and credentials websites and services like Gmail accounts. It is also used to copy and transfer files to a command-and-controlled server.
“During our test, we set up a Gmail account and were able to duplicate our Gmail session by using the stolen cookies,” Kaspersky says. “We can therefore conclude this post-exploitation tool is dedicated to hijacking and impersonating the Gmail sessions of the targets.”
The APT’s activities overlap with those of the HoneyMyte/Mustang Panda, which is a Chinese-speaking group behind the attack on the office of Myanmar’s president.
These campaigns share some tactics, such as similarities in C2, the use of .DLL side loading, similar cookie-stealing methods, and the use of Cobalt Strike beacons.
“Both groups, whether related or not, have conducted activity of the same nature — large-scale attacks that affect a wide perimeter of targets with the aim of hitting a few that are of interest,” the researchers say.