[ad_1]
Since mid-2021, we’ve got been investigating a fairly elusive risk actor referred to as Earth Lusca that targets organizations globally through a marketing campaign that makes use of conventional social engineering methods akin to spear phishing and watering holes. The group’s major motivation appears to be cyberespionage: the record of its victims contains excessive worth targets akin to authorities and academic establishments, non secular actions, pro-democracy and human rights organizations in Hong Kong, Covid-19 analysis organizations, and the media, amongst others. Nonetheless, the risk actor additionally appears to be financially motivated, because it additionally took purpose at playing and cryptocurrency corporations.
Earlier analysis into the group’s actions attributed it to different risk actors such because the Winnti group as a consequence of using malware akin to Winnti, however regardless of some similarities, we contemplate Earth Lusca a separate risk actor (we do have proof, nonetheless, that the group is a part of the “Winnti cluster,” which is comprised of various teams with the identical origin nation and share elements of their TTPs).
The technical temporary supplies an in-depth have a look at Earth Lusca’s actions, the instruments it employs in assaults, and the infrastructure it makes use of.
Earth Lusca’s infrastructure can basically be grouped into two “clusters.” The primary cluster is constructed utilizing digital personal servers (VPS), rented from a service supplier, which can be used for the group’s watering gap and spear phishing operations, along with appearing as a command-and-control (C&C) server for malware.
The second cluster is made up of compromised servers working previous, open-source variations of Oracle GlassFish Server. Curiously, this second cluster performs a unique position in an Earth Lusca assault — it acts as a scanning device that searches for vulnerabilities in public-facing servers and builds site visitors tunnels inside the goal’s community. Like the primary cluster, it additionally serves as a C&C server, this time for Cobalt Strike.
It’s potential that the group used parts of its infrastructure (notably the scanning elements) for diversion with the intention to trick safety workers into specializing in the unsuitable components of the community.
[ad_2]