Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Earth Lusca

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022) Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)

ID: G1006

Associated Groups: TAG-22

Version: 1.0

Created: 01 Jul 2022

Last Modified: 17 Oct 2022

Name	Description
Associated Group Descriptions
TAG-22	(Citation: Recorded Future TAG-22 July 2021)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1548	.002	Abuse Elevation Control Mechanism: Bypass User Account Control	Earth Lusca has used the Fodhelper UAC bypass technique to gain elevated privileges.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1098	.004	Account Manipulation: SSH Authorized Keys	Earth Lusca has dropped an SSH-authorized key in the `/root/.ssh` folder in order to access a compromised server with SSH.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1583	.001	Acquire Infrastructure: Domains	Earth Lusca has registered domains, intended to look like legitimate target domains, that have been used in watering hole attacks.(Citation: TrendMicro EarthLusca 2022)
		.004	Acquire Infrastructure: Server	Earth Lusca has acquired multiple servers for some of their operations, using each server for a different role.(Citation: TrendMicro EarthLusca 2022)
		.006	Acquire Infrastructure: Web Services	Earth Lusca has established GitHub accounts to host their malware.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1595	.002	Active Scanning: Vulnerability Scanning	Earth Lusca has scanned for vulnerabilities in the public-facing servers of their targets.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	Earth Lusca has used WinRAR to compress stolen files into an archive prior to exfiltration.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1547	.012	Boot or Logon Autostart Execution: Print Processors	Earth Lusca has added the Registry key `HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\UDPrint” /v Driver /d “spool.dll /f` to load malware as a Print Processor.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	Earth Lusca has used PowerShell to execute commands.(Citation: TrendMicro EarthLusca 2022)
		.005	Command and Scripting Interpreter: Visual Basic	Earth Lusca used VBA scripts.(Citation: TrendMicro EarthLusca 2022)
		.006	Command and Scripting Interpreter: Python	Earth Lusca used Python scripts for port scanning or building reverse shells.(Citation: TrendMicro EarthLusca 2022)
		.007	Command and Scripting Interpreter: JavaScript	Earth Lusca has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1584	.004	Compromise Infrastructure: Server	Earth Lusca has used compromised web servers as part of their operational infrastructure.(Citation: TrendMicro EarthLusca 2022)
		.006	Compromise Infrastructure: Web Services	Earth Lusca has compromised Google Drive repositories.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	Earth Lusca created a service using the command `sc create “SysUpdate” binpath= “cmd /c start “[file path]””&&sc config “SysUpdate” start= auto&&net start SysUpdate` for persistence.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1567	.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1574	.002	Hijack Execution Flow: DLL Side-Loading	Earth Lusca has placed a malicious payload in `%WINDIR%\SYSTEM32\oci.dll` so it would be sideloaded by the MSDTC service.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	Earth Lusca used the command `move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll` to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1003	.001	OS Credential Dumping: LSASS Memory	Earth Lusca has used ProcDump to obtain the hashes of credentials by dumping the memory of the LSASS process.(Citation: TrendMicro EarthLusca 2022)
		.006	OS Credential Dumping: DCSync	Earth Lusca has used a `DCSync` command with Mimikatz to retrieve credentials from an exploited controller.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1027	.003	Obfuscated Files or Information: Steganography	Earth Lusca has used steganography to hide shellcode in a BMP image file.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1588	.001	Obtain Capabilities: Malware	Earth Lusca has acquired and used a variety of malware, including Cobalt Strike.(Citation: TrendMicro EarthLusca 2022)
		.002	Obtain Capabilities: Tool	Earth Lusca has acquired and used a variety of open source tools.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1566	.002	Phishing: Spearphishing Link	Earth Lusca has sent spearphishing emails to potential targets that contained a malicious link.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1608	.001	Stage Capabilities: Upload Malware	Earth Lusca has staged malware and malicious files on compromised web servers, GitHub, and Google Drive.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1218	.005	System Binary Proxy Execution: Mshta	Earth Lusca has used `mshta.exe` to load an HTA script within a malicious .LNK file.(Citation: TrendMicro EarthLusca 2022)
Enterprise	T1204	.001	User Execution: Malicious Link	Earth Lusca has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader.(Citation: TrendMicro EarthLusca 2022)
		.002	User Execution: Malicious File	Earth Lusca required users to click on a malicious file for the loader to activate.(Citation: TrendMicro EarthLusca 2022)

ID	Name	References	Techniques
Software
S0160	certutil	(Citation: TechNet Certutil) (Citation: TrendMicro EarthLusca 2022)	Install Root Certificate, Deobfuscate/Decode Files or Information, Ingress Tool Transfer
S0194	PowerSploit	(Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) (Citation: TrendMicro EarthLusca 2022)	Path Interception by PATH Environment Variable, Keylogging, Reflective Code Loading, Credentials in Registry, Indicator Removal from Tools, Audio Capture, Windows Management Instrumentation, Path Interception by Unquoted Path, Query Registry, Data from Local System, Group Policy Preferences, Path Interception, Dynamic-link Library Injection, Obfuscated Files or Information, Access Token Manipulation, Windows Service, Screen Capture, Registry Run Keys / Startup Folder, Scheduled Task, DLL Search Order Hijacking, Path Interception by Search Order Hijacking, Kerberoasting, Local Account, Security Support Provider, Process Discovery, Windows Credential Manager, PowerShell, Domain Trust Discovery, LSASS Memory
S0057	Tasklist	(Citation: Microsoft Tasklist) (Citation: TrendMicro EarthLusca 2022)	Process Discovery, System Service Discovery, Security Software Discovery
S0430	Winnti for Linux	(Citation: Chronicle Winnti for Linux May 2019) (Citation: TrendMicro EarthLusca 2022)	Web Protocols, Non-Application Layer Protocol, Deobfuscate/Decode Files or Information, Symmetric Cryptography, Traffic Signaling, Obfuscated Files or Information, Ingress Tool Transfer, Rootkit
S0359	Nltest	(Citation: Nltest Manual) (Citation: TrendMicro EarthLusca 2022)	Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S0154	Cobalt Strike	(Citation: cobaltstrike manual) (Citation: TrendMicro EarthLusca 2022)	Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, Application Layer Protocol, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0002	Mimikatz	(Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: TrendMicro EarthLusca 2022)	DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0590	NBTscan	(Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019) (Citation: TrendMicro EarthLusca 2022)	System Owner/User Discovery, System Network Configuration Discovery, Network Sniffing, Network Service Discovery, Remote System Discovery
S0596	ShadowPad	(Citation: FireEye APT41 Aug 2019) (Citation: Kaspersky ShadowPad Aug 2017) (Citation: POISONPLUG.SHADOW) (Citation: Recorded Future RedEcho Feb 2021) (Citation: Securelist ShadowPad Aug 2017) (Citation: TrendMicro EarthLusca 2022)	System Owner/User Discovery, Modify Registry, System Time Discovery, Indicator Removal, Deobfuscate/Decode Files or Information, Indicator Removal, System Network Configuration Discovery, Scheduled Transfer, Process Discovery, DNS, Non-Standard Encoding, File Transfer Protocols, Non-Application Layer Protocol, Obfuscated Files or Information, Web Protocols, Process Injection, System Information Discovery, Domain Generation Algorithms, Ingress Tool Transfer, Dynamic-link Library Injection

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Earth Lusca

Associated Group Descriptions

Techniques Used

Software

References