Recent investigations have unveiled a robust cyber campaign that initially targeted Myanmar but has since expanded its reach to include numerous organizations in the Philippines. This heightened activity was reported by Russian cybersecurity firm Kaspersky, which first detected these infections back in October 2020.
Kaspersky associates this malicious activity with a threat actor called LuminousMoth, which appears to have close ties to the Chinese state-sponsored hacking group known as HoneyMyte, or Mustang Panda. The researchers made this connection based on their assessment of the targets affected, as well as the tactics and procedures employed.
Approximately 100 victims were identified in Myanmar, but alarmingly, the total number of impacted entities increased to nearly 1,400 in the Philippines. Kaspersky researchers emphasized that this estimate may be misleading, as the true targets represent only a small portion of the reported figures, which primarily include various government bodies both locally and internationally.
The overarching aim of these cyber incursions is to establish a broad network of targets while zeroing in on a select few of strategic importance. Kaspersky analysts Mark Lechtik, Paul Rascagneres, and Aseel Kayal highlighted that the intrusions display both extensive breadth and focused intent, thereby allowing the threat actors to gather intelligence from high-value entities.
In terms of methodology, the initial phase of the attacks typically involves sending spear-phishing emails containing Dropbox links. Upon clicking these links, victims unwittingly download a RAR archive camouflaged as a Word document, which includes two malicious Dynamic Link Libraries (DLLs)— “version.dll” and “wwlib.dll”— as well as two executable files that activate the malware. This approach effectively leverages Initial Access and Execution tactics as outlined in the MITRE ATT&CK framework.
Once the malware has a foothold, Kaspersky noted an alternative infection pathway utilizing removable USB drives to propagate the malware further. Here, “version.dll” plays a crucial role, while “wwlib.dll” is utilized to download a Cobalt Strike beacon from a domain controlled by the attacker, marking an instance of Command and Control.
In certain cases, the threat actor escalated their tactics by deploying a malicious, signed version of the Zoom video conferencing tool, designed to siphon sensitive data to a command-and-control server. The use of a valid digital certificate for the rogue tool was a calculated measure aimed at evading detection. Additionally, some infected systems displayed a post-exploitation utility that captures cookies from the Google Chrome browser, applying Credential Access tactics.
Kaspersky’s findings suggest that LuminousMoth’s recent cyber operations may signal a strategic shift, as they appear to be evolving their tactics and embracing the development of new malware tools. This adaptation could be aimed at distancing themselves from previous activities and complicating attribution to well-known groups.
Traditionally, Advanced Persistent Threat (APT) actors focus sharply on specific targets, employing meticulous strategies tailored to the identities and environments of their victims. However, the scale of this recent campaign, while atypical for such actors, underscores the potential risks for organizations in both Myanmar and the Philippines, warning that the underlying operations could evade standard security measures.
