Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Earth Lusca
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Earth Lusca
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Earth Lusca

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022) Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
ID: G1006
Associated Groups: TAG-22
Version: 1.0
Created: 01 Jul 2022
Last Modified: 17 Oct 2022

Associated Group Descriptions
Name Description
TAG-22 (Citation: Recorded Future TAG-22 July 2021)

Techniques Used
Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Earth Lusca has used the Fodhelper UAC bypass technique to gain elevated privileges.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1098 .004 Account Manipulation: SSH Authorized Keys

Earth Lusca has dropped an SSH-authorized key in the `/root/.ssh` folder in order to access a compromised server with SSH.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1583 .001 Acquire Infrastructure: Domains

Earth Lusca has registered domains, intended to look like legitimate target domains, that have been used in watering hole attacks.(Citation: TrendMicro EarthLusca 2022)

.004 Acquire Infrastructure: Server

Earth Lusca has acquired multiple servers for some of their operations, using each server for a different role.(Citation: TrendMicro EarthLusca 2022)

.006 Acquire Infrastructure: Web Services

Earth Lusca has established GitHub accounts to host their malware.(Citation: TrendMicro EarthLusca 2022)

Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

Earth Lusca has scanned for vulnerabilities in the public-facing servers of their targets.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Earth Lusca has used WinRAR to compress stolen files into an archive prior to exfiltration.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1547 .012 Boot or Logon Autostart Execution: Print Processors

Earth Lusca has added the Registry key `HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\UDPrint” /v Driver /d “spool.dll /f` to load malware as a Print Processor.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Earth Lusca has used PowerShell to execute commands.(Citation: TrendMicro EarthLusca 2022)
.005 Command and Scripting Interpreter: Visual Basic

Earth Lusca used VBA scripts.(Citation: TrendMicro EarthLusca 2022)

.006 Command and Scripting Interpreter: Python

Earth Lusca used Python scripts for port scanning or building reverse shells.(Citation: TrendMicro EarthLusca 2022)

.007 Command and Scripting Interpreter: JavaScript

Earth Lusca has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations.(Citation: TrendMicro EarthLusca 2022)

Enterprise T1584 .004 Compromise Infrastructure: Server

Earth Lusca has used compromised web servers as part of their operational infrastructure.(Citation: TrendMicro EarthLusca 2022)
.006 Compromise Infrastructure: Web Services

Earth Lusca has compromised Google Drive repositories.(Citation: TrendMicro EarthLusca 2022)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Earth Lusca created a service using the command sc create “SysUpdate” binpath= “cmd /c start “[file path]””&&sc config “SysUpdate” start= auto&&net start SysUpdate for persistence.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Earth Lusca has placed a malicious payload in `%WINDIR%\SYSTEM32\oci.dll` so it would be sideloaded by the MSDTC service.(Citation: TrendMicro EarthLusca 2022)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Earth Lusca used the command `move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll` to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Earth Lusca has used ProcDump to obtain the hashes of credentials by dumping the memory of the LSASS process.(Citation: TrendMicro EarthLusca 2022)
.006 OS Credential Dumping: DCSync

Earth Lusca has used a DCSync command with Mimikatz to retrieve credentials from an exploited controller.(Citation: TrendMicro EarthLusca 2022)

Enterprise T1027 .003 Obfuscated Files or Information: Steganography

Earth Lusca has used steganography to hide shellcode in a BMP image file.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1588 .001 Obtain Capabilities: Malware

Earth Lusca has acquired and used a variety of malware, including Cobalt Strike.(Citation: TrendMicro EarthLusca 2022)
.002 Obtain Capabilities: Tool

Earth Lusca has acquired and used a variety of open source tools.(Citation: TrendMicro EarthLusca 2022)

Enterprise T1566 .002 Phishing: Spearphishing Link

Earth Lusca has sent spearphishing emails to potential targets that contained a malicious link.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1608 .001 Stage Capabilities: Upload Malware

Earth Lusca has staged malware and malicious files on compromised web servers, GitHub, and Google Drive.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1218 .005 System Binary Proxy Execution: Mshta

Earth Lusca has used `mshta.exe` to load an HTA script within a malicious .LNK file.(Citation: TrendMicro EarthLusca 2022)
Enterprise T1204 .001 User Execution: Malicious Link

Earth Lusca has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader.(Citation: TrendMicro EarthLusca 2022)
.002 User Execution: Malicious File

Earth Lusca required users to click on a malicious file for the loader to activate.(Citation: TrendMicro EarthLusca 2022)

Software
ID Name References Techniques
S0160 certutil (Citation: TechNet Certutil) (Citation: TrendMicro EarthLusca 2022) Install Root Certificate, Deobfuscate/Decode Files or Information, Ingress Tool Transfer
S0194 PowerSploit (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) (Citation: TrendMicro EarthLusca 2022) Path Interception by PATH Environment Variable, Keylogging, Reflective Code Loading, Credentials in Registry, Indicator Removal from Tools, Audio Capture, Windows Management Instrumentation, Path Interception by Unquoted Path, Query Registry, Data from Local System, Group Policy Preferences, Path Interception, Dynamic-link Library Injection, Obfuscated Files or Information, Access Token Manipulation, Windows Service, Screen Capture, Registry Run Keys / Startup Folder, Scheduled Task, DLL Search Order Hijacking, Path Interception by Search Order Hijacking, Kerberoasting, Local Account, Security Support Provider, Process Discovery, Windows Credential Manager, PowerShell, Domain Trust Discovery, LSASS Memory
S0057 Tasklist (Citation: Microsoft Tasklist) (Citation: TrendMicro EarthLusca 2022) Process Discovery, System Service Discovery, Security Software Discovery
S0430 Winnti for Linux (Citation: Chronicle Winnti for Linux May 2019) (Citation: TrendMicro EarthLusca 2022) Web Protocols, Non-Application Layer Protocol, Deobfuscate/Decode Files or Information, Symmetric Cryptography, Traffic Signaling, Obfuscated Files or Information, Ingress Tool Transfer, Rootkit
S0359 Nltest (Citation: Nltest Manual) (Citation: TrendMicro EarthLusca 2022) Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: TrendMicro EarthLusca 2022) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, Application Layer Protocol, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: TrendMicro EarthLusca 2022) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019) (Citation: TrendMicro EarthLusca 2022) System Owner/User Discovery, System Network Configuration Discovery, Network Sniffing, Network Service Discovery, Remote System Discovery
S0596 ShadowPad (Citation: FireEye APT41 Aug 2019) (Citation: Kaspersky ShadowPad Aug 2017) (Citation: POISONPLUG.SHADOW) (Citation: Recorded Future RedEcho Feb 2021) (Citation: Securelist ShadowPad Aug 2017) (Citation: TrendMicro EarthLusca 2022) System Owner/User Discovery, Modify Registry, System Time Discovery, Indicator Removal, Deobfuscate/Decode Files or Information, Indicator Removal, System Network Configuration Discovery, Scheduled Transfer, Process Discovery, DNS, Non-Standard Encoding, File Transfer Protocols, Non-Application Layer Protocol, Obfuscated Files or Information, Web Protocols, Process Injection, System Information Discovery, Domain Generation Algorithms, Ingress Tool Transfer, Dynamic-link Library Injection

References

  1. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  2. INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.