Go to listing page

China-based Earth Lusca Group Targeting Multiple Industries

China-based Earth Lusca Group Targeting Multiple Industries
Earth Lusca, a suspected Chinese hacker group, was found spying on strategic targets as well as performing financially-motivated attacks for several years.

The attacks of Earth Lusca

Earth Lusca APT has been spying on targets that could be of interest to the Chinese government, say experts. 
  • With a motive of intelligence collection, its attacks were aimed at government, educational, media, telecom, COVID-19 research, and religious institutions across several countries including Taiwan, Thailand, Philippines, Vietnam, U.A.E., Mongolia, Nigeria, and more.
  • The group also staged financially motivated attacks against gambling entities in China and different cryptocurrency platforms as well.

Attack characteristics

Most of Earth Lusca’s attack vectors and tactics are found to be common with another threat group known as APT41.
  • In most cases, the attackers attempt to deploy a version of Cobalt Strike on infect hosts to deploy additional malware such as Doraemon, ShadowPad, Winnti, FunnySwitch, AntSword, and Behinder.
  • In addition, the group deployed cryptominers on infected hosts, possibly to fool investigators into believing that the hack was an ordinary mining botnet and not some sophisticated cyberattack.

Ways Earth Lusca targets

Trend Micro examined the recent operations of Earth Lusca and revealed three methods the group mostly used for its attacks:
  • It exploited unpatched vulnerabilities in web applications and public-facing servers (e.g. Exchange servers and Oracle GlassFish).
  • In some cases, the attackers sent spear-phishing emails laden with links to malicious files or sites.
  • Furthermore, the attackers used watering hole attacks, where victims were lured to compromised sites to deliver the malware to the victim system.

Concluding notes

As per the research so far, Earth Lusca reflects potential danger for various critical industries. The best defense against such threats would be to focus on shared threat intelligence and using provided IOCs for better detection.

Cyware Publisher

Publisher

Cyware