1. Home
  2. Groups
  3. Earth Lusca

Earth Lusca

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.[1]

Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.[1]

ID: G1006
Associated Groups: TAG-22, Charcoal Typhoon, CHROMIUM, ControlX
Version: 2.0
Created: 01 July 2022
Last Modified: 16 September 2024

Associated Group Descriptions

Name Description
TAG-22

[2]
Charcoal Typhoon

[3]
CHROMIUM

[3] [4]
ControlX

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Earth Lusca used a VBA script to execute WMI.[1]
Enterprise T1595 .002 主动扫描: Vulnerability Scanning

Earth Lusca has scanned for vulnerabilities in the public-facing servers of their targets.[1]
Enterprise T1090 代理

Earth Lusca adopted Cloudflare as a proxy for compromised servers.[1]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Earth Lusca used the command move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.[1]
Enterprise T1112 修改注册表

Earth Lusca modified the registry using the command reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_SZ /d "[file path]" for persistence.[1]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Earth Lusca created a service using the command sc create "SysUpdate" binpath= "cmd /c start "[file path]""&&sc config "SysUpdate" start= auto&&netstart SysUpdate for persistence.[1]
Enterprise T1190 利用公开应用程序漏洞

Earth Lusca has compromised victims by directly exploiting vulnerabilities of public-facing servers, including those associated with Microsoft Exchange and Oracle GlassFish.[1]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

Earth Lusca has placed a malicious payload in %WINDIR%\SYSTEM32\oci.dll so it would be sideloaded by the MSDTC service.[1]

Enterprise T1140 反混淆/解码文件或信息

Earth Lusca has used certutil to decode a string into a cabinet file.[1]
Enterprise T1547 .012 启动或登录自动启动执行: Print Processors

Earth Lusca has added the Registry key HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\UDPrint" /v Driver /d "spool.dll /f to load malware as a Print Processor.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Earth Lusca has used PowerShell to execute commands.[1]
.005 命令与脚本解释器: Visual Basic

Earth Lusca used VBA scripts.[1]
.006 命令与脚本解释器: Python

Earth Lusca used Python scripts for port scanning or building reverse shells.[1]
.007 命令与脚本解释器: JavaScript

Earth Lusca has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations.[1]
Enterprise T1482 域信任发现

Earth Lusca has used Nltest to obtain information about domain controllers.[1]
Enterprise T1584 .004 基础设施妥协: Server

Earth Lusca has used compromised web servers as part of their operational infrastructure.[1]
.006 基础设施妥协: Web Services

Earth Lusca has compromised Google Drive repositories.[1]
Enterprise T1560 .001 归档收集数据: Archive via Utility

Earth Lusca has used WinRAR to compress stolen files into an archive prior to exfiltration.[1]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

Earth Lusca has used ProcDump to obtain the hashes of credentials by dumping the memory of the LSASS process.[1]
.006 操作系统凭证转储: DCSync

Earth Lusca has used a DCSync command with Mimikatz to retrieve credentials from an exploited controller.[1]
Enterprise T1608 .001 暂存能力: Upload Malware

Earth Lusca has staged malware and malicious files on compromised web servers, GitHub, and Google Drive.[1]
Enterprise T1189 浏览器攻击

Earth Lusca has performed watering hole attacks.[1]
Enterprise T1027 混淆文件或信息

Earth Lusca used Base64 to encode strings.[1]
.003 Steganography

Earth Lusca has used steganography to hide shellcode in a BMP image file.[1]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

Earth Lusca has used the Fodhelper UAC bypass technique to gain elevated privileges.[1]
Enterprise T1204 .001 用户执行: Malicious Link

Earth Lusca has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader.[1]
.002 用户执行: Malicious File

Earth Lusca required users to click on a malicious file for the loader to activate.[1]
Enterprise T1218 .005 系统二进制代理执行: Mshta

Earth Lusca has used mshta.exe to load an HTA script within a malicious .LNK file.[1]
Enterprise T1033 系统所有者/用户发现

Earth Lusca collected information on user accounts via the whoami command.[1]
Enterprise T1007 系统服务发现

Earth Lusca has used Tasklist to obtain information from a compromised host.[1]
Enterprise T1049 系统网络连接发现

Earth Lusca employed a PowerShell script called RDPConnectionParser to read and filter the Windows event log "Microsoft-Windows-TerminalServices-RDPClient/Operational"(Event ID 1024) to obtain network information from RDP connections. Earth Lusca has also used netstat from a compromised system to obtain network connection information.[1]
Enterprise T1016 系统网络配置发现

Earth Lusca used the command ipconfig to obtain information about network configurations.[1]
Enterprise T1583 .001 获取基础设施: Domains

Earth Lusca has registered domains, intended to look like legitimate target domains, that have been used in watering hole attacks.[1]

.004 获取基础设施: Server

Earth Lusca has acquired multiple servers for some of their operations, using each server for a different role.[1]
.006 获取基础设施: Web Services

Earth Lusca has established GitHub accounts to host their malware.[1]
Enterprise T1588 .001 获取能力: Malware

Earth Lusca has acquired and used a variety of malware, including Cobalt Strike.[1]
.002 获取能力: Tool

Earth Lusca has acquired and used a variety of open source tools.[1]
Enterprise T1098 .004 账号操控: SSH Authorized Keys

Earth Lusca has dropped an SSH-authorized key in the /root/.ssh folder in order to access a compromised server with SSH.[1]
Enterprise T1057 进程发现

Earth Lusca has used Tasklist to obtain information from a compromised host.[1]
Enterprise T1210 远程服务漏洞利用

Earth Lusca has used Mimikatz to exploit a domain controller via the ZeroLogon exploit (CVE-2020-1472).[1]
Enterprise T1018 远程系统发现

Earth Lusca used the command powershell "Get-EventLog -LogName security -Newest 500 | where {$_.EventID -eq 4624} | format-list -property * | findstr "Address"" to find the network information of successfully logged-in accounts to discovery addresses of other machines. Earth Lusca has also used multiple scanning tools to discover other machines within the same compromised network.[1]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA.[1]
Enterprise T1566 .002 钓鱼: Spearphishing Link

Earth Lusca has sent spearphishing emails to potential targets that contained a malicious link.[1]
Enterprise T1053 预定任务/作业

Earth Lusca used the command schtasks /Create /SC ONLOgon /TN WindowsUpdateCheck /TR "[file path]" /ru system for persistence.[1]

Software

ID Name References Techniques
S0160 certutil [1] 反混淆/解码文件或信息, 归档收集数据: Archive via Utility, 输入工具传输, 颠覆信任控制: Install Root Certificate
S0154 Cobalt Strike [1] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0002 Mimikatz [1] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0590 NBTscan [1] 系统所有者/用户发现, 系统网络配置发现, 网络嗅探, 网络服务发现, 远程系统发现
S0359 Nltest [1] 域信任发现, 系统网络配置发现, 远程系统发现
S0194 PowerSploit [1] Windows管理规范, 从密码存储中获取凭证: Windows Credential Manager, 从本地系统获取数据, 创建或修改系统进程: Windows Service, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: DLL Search Order Hijacking, 劫持执行流: Path Interception by Search Order Hijacking, 反射性代码加载, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Security Support Provider, 命令与脚本解释器: PowerShell, 域信任发现, 屏幕捕获, 操作系统凭证转储: LSASS Memory, 未加密凭证: Credentials in Registry, 未加密凭证: Group Policy Preferences, 查询注册表, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息: Command Obfuscation, 窃取或伪造Kerberos票据: Kerberoasting, 访问令牌操控, 账号发现: Local Account, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 音频捕获, 预定任务/作业: Scheduled Task
S0596 ShadowPad [1] 修改注册表, 动态解析: Domain Generation Algorithms, 反混淆/解码文件或信息, 应用层协议: DNS, 应用层协议: File Transfer Protocols, 应用层协议: Web Protocols, 数据编码: Non-Standard Encoding, 混淆文件或信息: Fileless Storage, 混淆文件或信息, 移除指标, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 输入工具传输, 进程发现, 进程注入, 进程注入: Dynamic-link Library Injection, 非应用层协议, 预定传输
S0057 Tasklist [1] 系统服务发现, 软件发现: Security Software Discovery, 进程发现
S0430 Winnti for Linux [1] Rootkit, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 应用层协议: Web Protocols, 流量激活, 混淆文件或信息: Encrypted/Encoded File, 输入工具传输, 非应用层协议

References

  1. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  2. INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 16, 2024.
  1. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  2. Insikt Group. (2023, August 8). RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale. Retrieved March 11, 2024.