New Chinese Threat Group Deals in Espionage and Theft'Earth Lusca' Is Targeting Governments Internationally
A new threat group linked to China, dubbed "Earth Lusca" by researchers at cybersecurity firm Trend Micro, is not only running cyberespionage campaigns against governments as seen in several other state-backed campaigns, but it is also seeking financial gain - with successful attacks against several gambling companies in China and various other cryptocurrency platforms.
Andy Norton, European cyber risk officer at cybersecurity firm Armis, says although this is not typical behavior for a nation-state threat actor, the activities and targets of Earth Lusca seem to fit the bill of a nation-state-driven agenda. "Many nations around the world use cyber as a method for gaining political intelligence, whether that is to understand and adapt foreign policy, gain insight into intellectual property or monitor the activity of citizens," he says.
The methodologies outlined in the Trend Micro report are well known to the industry, Norton says - including the use of red herring payloads, such as the noisy Monero miners that are often deliberately installed to deflect attention from the real nature and purpose of the attack by more sophisticated actors.
The Trend Micro researchers who began monitoring Earth Lusca's operations in mid-2021 linked the threat actor to several publicly known attacks that include:
- Government institutions in Taiwan, Thailand, the Philippines, Vietnam, the United Arab Emirates, Mongolia and Nigeria;
- Educational institutions in Taiwan, Hong Kong, Japan and France;
- Media agencies in Taiwan, Hong Kong, Australia, Germany and France;
- Pro-democracy and human rights political organizations and movements in Hong Kong;
- COVID-19 research organizations in the United States;
- Telecom companies in Nepal;
- Religious movements that are banned in mainland China;
- Various cryptocurrency trading platforms.
Gambling and cryptocurrency trading are illegal in China. The researchers say that what appears to be a state-backed threat actor has also targeted these platforms with cryptocurrency miners, "with the primary cryptocurrency target being Monero [XMR]."
Links to APT41, aka Winnti
The researchers say they saw a close resemblance between this group's techniques, tactics and procedures to those of APT41 - which is also known as Winnti, Wicked Spider, Winnti Umbrella and Barium. In fact, Earth Lusca deploys Winnti malware in the advanced stages of its campaign, the researchers say.
Despite that similarity, however, the researchers say they consider Earth Lusca a separate threat actor. But they add: "We do have evidence, however, that the group is part of the 'Winnti cluster,' which is comprised of different groups with the same origin country and share aspects of their TTPs."
Based on their operations and usage, the researchers have grouped Earth Lusca's operational infrastructure into two clusters:
- First Cluster: This cluster is built using virtual private servers rented from a service provider called Vultr. It is used for carrying out watering hole and spear-phishing operations, in addition to acting as a command-and-control server for malwares, the researchers say.
- Second Cluster: Apart from acting as a C&C server - but for Cobalt Strike Beacon - this cluster "acts as a scanning tool that searches for vulnerabilities in public-facing servers and builds traffic tunnels within the target’s network," the researchers say. Unlike VPS used in the first cluster, the second one contains compromised servers running old, open-source versions of Oracle GlassFish Server.
Attack Vectors Used
Earth Lusca uses three primary attack vectors, according to researchers. They say two of them - spear-phishing and watering hole attacks - involve social engineering and the third attack vector exploits known vulnerabilities in products such as Microsoft Exchange Server [ProxyShell] and Oracle's GlassFish.
After successful exploitation, Earth Lusca deploys one of the several payloads or malwares listed below for reconnaissance, persistence and lateral movement, the researchers say:
- Doraemon backdoor;
- FunnySwitch backdoor;
- ShadowPad backdoor;
- Winnti malware;
- AntSword web shell;
- Behinder web shell.
The threat actors also deployed cryptominers that could mine Monero cryptocurrency, according to the researchers, who add that "the revenue earned from the mining activities seems low."
Pascal Geenens, director of threat intelligence at Radware, tells ISMG that Chinese-linked threat groups do not generally go after monetary gains but says: "Once the victims have served their purpose, the state threat group members are allowed to run their own financially motivated campaigns against the victims for personal gain."
Geenens also says, "It is unlikely that Chinese government groups would get involved in stealing from companies. However, given the ban against cryptocurrencies and gambling in mainland China, in addition to the push for government-regulated Digital Currency Electronic Payment, or DCEP, it's worth keeping an eye on the situation."