1. Home
  2. Groups
  3. LuminousMoth

LuminousMoth

LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.[1][2]

ID: G1014
Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet; Zaw Min Htun, @Z3TAE
Version: 1.0
Created: 23 February 2023
Last Modified: 17 April 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1557 .002 中间人攻击: ARP Cache Poisoning

LuminousMoth has used ARP spoofing to redirect a compromised machine to an actor-controlled website.[2]
Enterprise T1005 从本地系统获取数据

LuminousMoth has collected files and data from compromised machines.[1][2]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

LuminousMoth has disguised their exfiltration malware as ZoomVideoApp.exe.[1]
Enterprise T1112 修改注册表

LuminousMoth has used malware that adds Registry keys for persistence.[1][2]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

LuminousMoth has used legitimate executables such as winword.exe and igfxem.exe to side-load their malware.[1][2]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

LuminousMoth has used malicious DLLs that setup persistence in the Registry Key HKCU\Software\Microsoft\Windows\Current Version\Run.[1][2]
Enterprise T1071 .001 应用层协议: Web Protocols

LuminousMoth has used HTTP for C2.[1]
Enterprise T1587 .001 开发能力: Malware

LuminousMoth has used unique malware for information theft and exfiltration.[1][2]
Enterprise T1560 归档收集数据

LuminousMoth has manually archived stolen files from victim machines before exfiltration.[2]
Enterprise T1030 数据传输大小限制

LuminousMoth has split archived files into multiple parts to bypass a 5MB limit.[2]
Enterprise T1083 文件和目录发现

LuminousMoth has used malware that scans for files in the Documents, Desktop, and Download folders and in other drives.[1][2]
Enterprise T1608 .001 暂存能力: Upload Malware

LuminousMoth has hosted malicious payloads on Dropbox.[1]
.004 暂存能力: Drive-by Target

LuminousMoth has redirected compromised machines to an actor-controlled webpage through HTML injection.[2]
.005 暂存能力: Link Target

LuminousMoth has created a link to a Dropbox file that has been used in their spear-phishing operations.[1]
Enterprise T1204 .001 用户执行: Malicious Link

LuminousMoth has lured victims into clicking malicious Dropbox download links delivered through spearphishing.[1]
Enterprise T1539 窃取Web会话Cookie

LuminousMoth has used an unnamed post-exploitation tool to steal cookies from the Chrome browser.[1]
Enterprise T1033 系统所有者/用户发现

LuminousMoth has used a malicious DLL to collect the username from compromised hosts.[2]
Enterprise T1588 .001 获取能力: Malware

LuminousMoth has obtained and used malware such as Cobalt Strike.[1][2]
.002 获取能力: Tool

LuminousMoth has obtained an ARP spoofing tool from GitHub.[2]
.004 获取能力: Digital Certificates

LuminousMoth has used a valid digital certificate for some of their malware.[1]

Enterprise T1105 输入工具传输

LuminousMoth has downloaded additional malware and tools onto a compromised host.[1][2]
Enterprise T1041 通过C2信道渗出

LuminousMoth has used malware that exfiltrates stolen data to its C2 server.[1]
Enterprise T1091 通过可移动媒体复制

LuminousMoth has used malicious DLLs to spread malware to connected removable USB drives on infected machines.[1][2]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

LuminousMoth has exfiltrated data to Google Drive.[2]
Enterprise T1566 .002 钓鱼: Spearphishing Link

LuminousMoth has sent spearphishing emails containing a malicious Dropbox download link.[1]
Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

LuminousMoth has used malware to store malicious binaries in hidden directories on victim's USB drives.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

LuminousMoth has created scheduled tasks to establish persistence for their tools.[2]
Enterprise T1553 .002 颠覆信任控制: Code Signing

LuminousMoth has signed their malware with a valid digital signature.[1]

Software

ID Name References Techniques
S0154 Cobalt Strike [1][2] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0013 PlugX [1][2] 伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: DNS, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息, 系统网络连接发现, 网络共享发现, 网络服务: Dead Drop Resolver, 虚拟化/沙盒规避: System Checks, 输入工具传输, 输入捕获: Keylogging, 进程发现, 隐藏伪装: Hidden Files and Directories, 非应用层协议

References

  1. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
  1. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.