Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Earth Lusca
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Earth Lusca
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Earth Lusca

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022) Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
ID: G1006
Associated Groups: Charcoal Typhoon, ControlX, CHROMIUM, TAG-22
Version: 2.0
Created: 01 Jul 2022
Last Modified: 16 Sep 2024

Associated Group Descriptions
Name Description
Charcoal Typhoon (Citation: Microsoft Threat Actor Naming July 2023)
ControlX (Citation: Microsoft Threat Actor Naming July 2023)
CHROMIUM (Citation: Microsoft Threat Actor Naming July 2023) (Citation: Recorded Future RedHotel August 2023)
TAG-22 (Citation: Recorded Future TAG-22 July 2021)

Techniques Used
Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Earth Lusca has used the Fodhelper UAC bypass technique to gain elevated privileges.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1098 .004 Account Manipulation: SSH Authorized Keys

Earth Lusca has dropped an SSH-authorized key in the `/root/.ssh` folder in order to access a compromised server with SSH.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1583 .001 Acquire Infrastructure: Domains

Earth Lusca has registered domains, intended to look like legitimate target domains, that have been used in watering hole attacks.(Citation: TrendMicro EarthLusca 2022)

.004 Acquire Infrastructure: Server

Earth Lusca has acquired multiple servers for some of their operations, using each server for a different role.(Citation: TrendMicro EarthLusca 2022)

.006 Acquire Infrastructure: Web Services

Earth Lusca has established GitHub accounts to host their malware.(Citation: TrendMicro EarthLusca 2022)

Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

Earth Lusca has scanned for vulnerabilities in the public-facing servers of their targets.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Earth Lusca has used WinRAR to compress stolen files into an archive prior to exfiltration.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1547 .012 Boot or Logon Autostart Execution: Print Processors

Earth Lusca has added the Registry key `HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\UDPrint” /v Driver /d “spool.dll /f` to load malware as a Print Processor.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Earth Lusca has used PowerShell to execute commands.(Citation: TrendMicro EarthLusca 2022)
.005 Command and Scripting Interpreter: Visual Basic

Earth Lusca used VBA scripts.(Citation: TrendMicro EarthLusca 2022)

.006 Command and Scripting Interpreter: Python

Earth Lusca used Python scripts for port scanning or building reverse shells.(Citation: TrendMicro EarthLusca 2022)

.007 Command and Scripting Interpreter: JavaScript

Earth Lusca has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations.(Citation: TrendMicro EarthLusca 2022)

Enterprise T1584 .004 Compromise Infrastructure: Server

Earth Lusca has used compromised web servers as part of their operational infrastructure.(Citation: TrendMicro EarthLusca 2022)
.006 Compromise Infrastructure: Web Services

Earth Lusca has compromised Google Drive repositories.(Citation: TrendMicro EarthLusca 2022)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Earth Lusca created a service using the command sc create “SysUpdate” binpath= “cmd /c start “[file path]””&&sc config “SysUpdate” start= auto&&net start SysUpdate for persistence.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1574 .001 Hijack Execution Flow: DLL

Earth Lusca has placed a malicious payload in `%WINDIR%\SYSTEM32\oci.dll` so it would be sideloaded by the MSDTC service.(Citation: TrendMicro EarthLusca 2022)

Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

Earth Lusca used the command `move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll` to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Earth Lusca has used ProcDump to obtain the hashes of credentials by dumping the memory of the LSASS process.(Citation: TrendMicro EarthLusca 2022)
.006 OS Credential Dumping: DCSync

Earth Lusca has used a DCSync command with Mimikatz to retrieve credentials from an exploited controller.(Citation: TrendMicro EarthLusca 2022)

Enterprise T1027 .003 Obfuscated Files or Information: Steganography

Earth Lusca has used steganography to hide shellcode in a BMP image file.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1588 .001 Obtain Capabilities: Malware

Earth Lusca has acquired and used a variety of malware, including Cobalt Strike.(Citation: TrendMicro EarthLusca 2022)
.002 Obtain Capabilities: Tool

Earth Lusca has acquired and used a variety of open source tools.(Citation: TrendMicro EarthLusca 2022)

Enterprise T1566 .002 Phishing: Spearphishing Link

Earth Lusca has sent spearphishing emails to potential targets that contained a malicious link.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1608 .001 Stage Capabilities: Upload Malware

Earth Lusca has staged malware and malicious files on compromised web servers, GitHub, and Google Drive.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Earth Lusca has used `mshta.exe` to load an HTA script within a malicious .LNK file.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1204 .001 User Execution: Malicious Link

Earth Lusca has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader.(Citation: TrendMicro EarthLusca 2022)
.002 User Execution: Malicious File

Earth Lusca required users to click on a malicious file for the loader to activate.(Citation: TrendMicro EarthLusca 2022)

Software
ID Name References Techniques
S0160 certutil (Citation: TechNet Certutil) (Citation: TrendMicro EarthLusca 2022) Archive via Utility, Deobfuscate/Decode Files or Information, Install Root Certificate, Ingress Tool Transfer
S0194 PowerSploit (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) (Citation: TrendMicro EarthLusca 2022) Scheduled Task, Windows Management Instrumentation, Screen Capture, Keylogging, Path Interception by PATH Environment Variable, Audio Capture, Local Account, Windows Service, DLL, Credentials in Registry, Data from Local System, Reflective Code Loading, Security Support Provider, Path Interception by Search Order Hijacking, LSASS Memory, Domain Trust Discovery, Group Policy Preferences, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Indicator Removal from Tools, Path Interception by Unquoted Path, Query Registry, Path Interception, Windows Credential Manager, Command Obfuscation, Access Token Manipulation, Kerberoasting, Dynamic-link Library Injection
S0057 Tasklist (Citation: Microsoft Tasklist) (Citation: TrendMicro EarthLusca 2022) System Service Discovery, Process Discovery, Security Software Discovery
S0430 Winnti for Linux (Citation: Chronicle Winnti for Linux May 2019) (Citation: TrendMicro EarthLusca 2022) Encrypted/Encoded File, Rootkit, Symmetric Cryptography, Deobfuscate/Decode Files or Information, Traffic Signaling, Non-Application Layer Protocol, Web Protocols, Ingress Tool Transfer
S0359 Nltest (Citation: Nltest Manual) (Citation: TrendMicro EarthLusca 2022) System Network Configuration Discovery, Domain Trust Discovery, Remote System Discovery
S0154 Cobalt Strike (Citation: TrendMicro EarthLusca 2022) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: TrendMicro EarthLusca 2022) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019) (Citation: TrendMicro EarthLusca 2022) System Owner/User Discovery, Network Sniffing, System Network Configuration Discovery, Remote System Discovery, Network Service Discovery
S0596 ShadowPad (Citation: FireEye APT41 Aug 2019) (Citation: Kaspersky ShadowPad Aug 2017) (Citation: POISONPLUG.SHADOW) (Citation: Recorded Future RedEcho Feb 2021) (Citation: Securelist ShadowPad Aug 2017) (Citation: TrendMicro EarthLusca 2022) Fileless Storage, System Owner/User Discovery, Domain Generation Algorithms, DNS, System Information Discovery, Deobfuscate/Decode Files or Information, Process Injection, Scheduled Transfer, Modify Registry, System Network Configuration Discovery, Indicator Removal, Process Discovery, File Transfer Protocols, Obfuscated Files or Information, Non-Application Layer Protocol, Non-Standard Encoding, Web Protocols, Ingress Tool Transfer, System Time Discovery, Dynamic-link Library Injection

References

  1. Insikt Group. (2023, August 8). RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale. Retrieved March 11, 2024.
  2. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  3. INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 16, 2024.
  4. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.