Earth Lusca
Associated Group Descriptions |
|
Name | Description |
---|---|
Charcoal Typhoon | (Citation: Microsoft Threat Actor Naming July 2023) |
ControlX | (Citation: Microsoft Threat Actor Naming July 2023) |
CHROMIUM | (Citation: Microsoft Threat Actor Naming July 2023) (Citation: Recorded Future RedHotel August 2023) |
TAG-22 | (Citation: Recorded Future TAG-22 July 2021) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Earth Lusca has used the Fodhelper UAC bypass technique to gain elevated privileges.(Citation: TrendMicro EarthLusca 2022) |
Enterprise | T1098 | .004 | Account Manipulation: SSH Authorized Keys |
Earth Lusca has dropped an SSH-authorized key in the `/root/.ssh` folder in order to access a compromised server with SSH.(Citation: TrendMicro EarthLusca 2022) |
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Earth Lusca has registered domains, intended to look like legitimate target domains, that have been used in watering hole attacks.(Citation: TrendMicro EarthLusca 2022) |
.004 | Acquire Infrastructure: Server |
Earth Lusca has acquired multiple servers for some of their operations, using each server for a different role.(Citation: TrendMicro EarthLusca 2022) |
||
.006 | Acquire Infrastructure: Web Services |
Earth Lusca has established GitHub accounts to host their malware.(Citation: TrendMicro EarthLusca 2022) |
||
Enterprise | T1595 | .002 | Active Scanning: Vulnerability Scanning |
Earth Lusca has scanned for vulnerabilities in the public-facing servers of their targets.(Citation: TrendMicro EarthLusca 2022) |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Earth Lusca has used WinRAR to compress stolen files into an archive prior to exfiltration.(Citation: TrendMicro EarthLusca 2022) |
Enterprise | T1547 | .012 | Boot or Logon Autostart Execution: Print Processors |
Earth Lusca has added the Registry key `HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\UDPrint” /v Driver /d “spool.dll /f` to load malware as a Print Processor.(Citation: TrendMicro EarthLusca 2022) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Earth Lusca has used PowerShell to execute commands.(Citation: TrendMicro EarthLusca 2022) |
.005 | Command and Scripting Interpreter: Visual Basic |
Earth Lusca used VBA scripts.(Citation: TrendMicro EarthLusca 2022) |
||
.006 | Command and Scripting Interpreter: Python |
Earth Lusca used Python scripts for port scanning or building reverse shells.(Citation: TrendMicro EarthLusca 2022) |
||
.007 | Command and Scripting Interpreter: JavaScript |
Earth Lusca has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations.(Citation: TrendMicro EarthLusca 2022) |
||
Enterprise | T1584 | .004 | Compromise Infrastructure: Server |
Earth Lusca has used compromised web servers as part of their operational infrastructure.(Citation: TrendMicro EarthLusca 2022) |
.006 | Compromise Infrastructure: Web Services |
Earth Lusca has compromised Google Drive repositories.(Citation: TrendMicro EarthLusca 2022) |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Earth Lusca created a service using the command |
Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA.(Citation: TrendMicro EarthLusca 2022) |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Earth Lusca has placed a malicious payload in `%WINDIR%\SYSTEM32\oci.dll` so it would be sideloaded by the MSDTC service.(Citation: TrendMicro EarthLusca 2022) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Earth Lusca used the command `move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll` to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.(Citation: TrendMicro EarthLusca 2022) |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Earth Lusca has used ProcDump to obtain the hashes of credentials by dumping the memory of the LSASS process.(Citation: TrendMicro EarthLusca 2022) |
.006 | OS Credential Dumping: DCSync |
Earth Lusca has used a |
||
Enterprise | T1027 | .003 | Obfuscated Files or Information: Steganography |
Earth Lusca has used steganography to hide shellcode in a BMP image file.(Citation: TrendMicro EarthLusca 2022) |
Enterprise | T1588 | .001 | Obtain Capabilities: Malware |
Earth Lusca has acquired and used a variety of malware, including Cobalt Strike.(Citation: TrendMicro EarthLusca 2022) |
.002 | Obtain Capabilities: Tool |
Earth Lusca has acquired and used a variety of open source tools.(Citation: TrendMicro EarthLusca 2022) |
||
Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
Earth Lusca has sent spearphishing emails to potential targets that contained a malicious link.(Citation: TrendMicro EarthLusca 2022) |
Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
Earth Lusca has staged malware and malicious files on compromised web servers, GitHub, and Google Drive.(Citation: TrendMicro EarthLusca 2022) |
Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
Earth Lusca has used `mshta.exe` to load an HTA script within a malicious .LNK file.(Citation: TrendMicro EarthLusca 2022) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Earth Lusca has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader.(Citation: TrendMicro EarthLusca 2022) |
.002 | User Execution: Malicious File |
Earth Lusca required users to click on a malicious file for the loader to activate.(Citation: TrendMicro EarthLusca 2022) |
References
- Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
- INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 16, 2024.
- Insikt Group. (2023, August 8). RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale. Retrieved March 11, 2024.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.