Chinese Hackers Victimize Southeast Asian Government Entities

Russian cyber security firm Kaspersky’s research brought into light the ever-increasing canvas of a cyber attack campaign that has set its sights on multiple targets located in Philippines.

Originally starting from Myanmar, the security firm attributed the campaign to a threat actor it identifies as “LuminousMoth.” Analysis of the hacker’s patterns and procedures informed more about the group the threat actor is connected to which the researchers believe to be called HoneyMyte or Mustang Panda – a Chinese state-sponsored hacking group.

The attacker did not discriminate between its victims, targeting civilians and government entities alike. About 100 victims in Myanmar and close to 1400 in Philippines were identified, albeit the initial number of victims reported might only be the tip of the iceberg compared to the actual numbers.

According to researchers, the primary objective of the attacks was to compromise on a vast real-estate with the attacker(s) hitting only the specific targets they find interesting: a high risk/high reward tactic. The attacks shape through a spear-phishing email sent to the victim consisting of a Dropbox download link that redirects to a RAR archive file impersonating a Word document. The RAR archive contains couple of harmful DLL libraries called version.dll and wwlib.dll and also the executables that enable the malware to execute on the victim’s machine.

The malware makes use of removable USB drives and version.dll library to spread to other machines whereas the wwlib.dll assists in downloading a Cobalt Strike beacon on the victim’s machine from a remote domain controlled by the attacker.

The hackers, in some cases, also used a post exploitation tool in Zoom video conferencing app to exfiltrate potentially sensitive files to a remote server. The attackers used legitimate digital certificates with the software, thereby facilitating in evading detection.

As per Kaspesrsky, LuminousMoth’s and Mustang Panda’s recent attacks and choice of victims might be an effort to shake up things in order to shroud any past attributions as well as develop new malware that gives the attacking group even more of a defensive guarantee.

In a statement, the researchers acknowledged the frequency and the craftiness of the attacks saying that the attackers “will handpick a set of targets that in turn are handled with almost surgical precision, with infection vectors, malicious implants and payloads being tailored to the victims’ identities or environment.”