Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

LuminousMoth

LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)

ID: G1014

Associated Groups:

Version: 1.0

Created: 23 Feb 2023

Last Modified: 16 Apr 2025

Name	Description
Associated Group Descriptions

Domain	ID		Name	Use
Techniques Used
Enterprise	T1557	.002	Adversary-in-the-Middle: ARP Cache Poisoning	LuminousMoth has used ARP spoofing to redirect a compromised machine to an actor-controlled website.(Citation: Bitdefender LuminousMoth July 2021)
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	LuminousMoth has used HTTP for C2.(Citation: Kaspersky LuminousMoth July 2021)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	LuminousMoth has used malicious DLLs that setup persistence in the Registry Key `HKCU\Software\Microsoft\Windows\Current Version\Run`.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)
Enterprise	T1587	.001	Develop Capabilities: Malware	LuminousMoth has used unique malware for information theft and exfiltration.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)
Enterprise	T1567	.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	LuminousMoth has exfiltrated data to Google Drive.(Citation: Bitdefender LuminousMoth July 2021)
Enterprise	T1564	.001	Hide Artifacts: Hidden Files and Directories	LuminousMoth has used malware to store malicious binaries in hidden directories on victim's USB drives.(Citation: Kaspersky LuminousMoth July 2021)
Enterprise	T1574	.001	Hijack Execution Flow: DLL	LuminousMoth has used legitimate executables such as `winword.exe` and `igfxem.exe` to side-load their malware.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)
Enterprise	T1036	.005	Masquerading: Match Legitimate Resource Name or Location	LuminousMoth has disguised their exfiltration malware as `ZoomVideoApp.exe`.(Citation: Kaspersky LuminousMoth July 2021)
Enterprise	T1588	.001	Obtain Capabilities: Malware	LuminousMoth has obtained and used malware such as Cobalt Strike.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)
		.002	Obtain Capabilities: Tool	LuminousMoth has obtained an ARP spoofing tool from GitHub.(Citation: Bitdefender LuminousMoth July 2021)
		.004	Obtain Capabilities: Digital Certificates	LuminousMoth has used a valid digital certificate for some of their malware.(Citation: Kaspersky LuminousMoth July 2021)
Enterprise	T1566	.002	Phishing: Spearphishing Link	LuminousMoth has sent spearphishing emails containing a malicious Dropbox download link.(Citation: Kaspersky LuminousMoth July 2021)
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	LuminousMoth has created scheduled tasks to establish persistence for their tools.(Citation: Bitdefender LuminousMoth July 2021)
Enterprise	T1608	.001	Stage Capabilities: Upload Malware	LuminousMoth has hosted malicious payloads on Dropbox.(Citation: Kaspersky LuminousMoth July 2021)
		.004	Stage Capabilities: Drive-by Target	LuminousMoth has redirected compromised machines to an actor-controlled webpage through HTML injection.(Citation: Bitdefender LuminousMoth July 2021)
		.005	Stage Capabilities: Link Target	LuminousMoth has created a link to a Dropbox file that has been used in their spear-phishing operations.(Citation: Kaspersky LuminousMoth July 2021)
Enterprise	T1553	.002	Subvert Trust Controls: Code Signing	LuminousMoth has signed their malware with a valid digital signature.(Citation: Kaspersky LuminousMoth July 2021)
Enterprise	T1204	.001	User Execution: Malicious Link	LuminousMoth has lured victims into clicking malicious Dropbox download links delivered through spearphishing.(Citation: Kaspersky LuminousMoth July 2021)

ID	Name	References	Techniques
Software
S0013	PlugX	(Citation: Bitdefender LuminousMoth July 2021) (Citation: CIRCL PlugX March 2013) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Kaspersky LuminousMoth July 2021) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Sogu) (Citation: TVT) (Citation: Thoper)	Screen Capture, Keylogging, DNS, Match Legitimate Resource Name or Location, Symmetric Cryptography, Windows Service, System Checks, DLL, Network Share Discovery, Native API, Deobfuscate/Decode Files or Information, Disable or Modify System Firewall, Modify Registry, File and Directory Discovery, Masquerade Task or Service, System Network Connections Discovery, Process Discovery, Multiband Communication, Registry Run Keys / Startup Folder, Non-Standard Port, Obfuscated Files or Information, Non-Application Layer Protocol, Query Registry, MSBuild, Windows Command Shell, Web Protocols, DLL Side-Loading, Ingress Tool Transfer, Hidden Files and Directories, Custom Command and Control Protocol, Dead Drop Resolver, Commonly Used Port
S0154	Cobalt Strike	(Citation: Bitdefender LuminousMoth July 2021) (Citation: Kaspersky LuminousMoth July 2021) (Citation: cobaltstrike manual)	Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

LuminousMoth

Associated Group Descriptions

Techniques Used

Software

References