The folder also contained an LNK file and a __MACOS folder with payload, this time timestamped Dec. 22, 2023.

Similar to the previously analyzed archive, several stages lead to this last stage (namely Cobalt Strike), only with different configurations. The C&C server name abuses the name of the cybersecurity company Cybereason. The malleable profile is also different this time and uses different URLs, although the watermark remains the same.

C2Server                         – www.cybereason.xyz,/mobile-android
HttpPostUri                      – /RELEASE_NOTES
Watermark                        – 100000000

As mentioned in the introduction, the campaign exposed in this report was likely active between December 2023 and January 2024, with the lure document created just two days before the Taiwanese national elections.

The C&C domain used by Earth Lusca (updateservice[.]store) was registered anonymously on Dec. 12, 2023 and a subdomain was used for C&C communications (upserver.updateservice[.]store).

Meanwhile, the other C&C domain used in this attack campaign (Cybereason[.]xyz) was registered anonymously on Oct. 27, 2023.

Both C&C servers are unavailable as of this writing.

We also found evidence that Earth Lusca targeted a Taiwan-based private academic think tank dedicated to the study of international political and economic situations.

While we could not find other campaign targets at the time of writing, we suspect Earth Lusca might be planning to attack more politically related entities.

A recent leak on GitHub exposed sizeable data on a Chinese company called I-Soon that has seemingly been active since 2016. The company describes itself on its website as an “APT Defense and Research Laboratory” and provides descriptions of its services: offensive and defensive security, antifraud solutions, blockchain forensics solutions, security products, and more. The group also notes several law enforcement and government entities with which it collaborates. As an interesting aside, I-Soon had been the recipient of a few rounds of fundings since 2017. One of its investors was the antivirus company Qihoo from China —  which, as stated earlier, had an executable file abused for DLL hijacking.

We found a few indicators in the I-Soon leak that made us believe that some of the Earth Lusca activities are similar to the contents of the leak:

  1. There is some victim overlap between Earth Lusca and I-Soon: Some of the names on the victim lists of the I-Soon leak were also victims of Earth Lusca’s attacks.
  2. The malware and tools arsenal used by I-Soon and Earth Lusca has a few strong overlaps. Malware such as ShadowPad, Winnti and a few other tools have been used extensively by Earth Lusca and are used by i-Soon as well.
  3. We also discovered a location overlap between the two. In a blog entry in September 2023, we mentioned that Earth Lusca’s source IP addresses are from Chengdu, Sichuan province, where the main office of I-Soon’s penetration teams is also located.

 Earth Lusca remains an active threat actor that counts cyberespionage among its primary motivations. Organizations must remain vigilant against APT groups employing sophisticated TTPs. In particular, government organizations face potential harm that could affect not only national and economic security but also international relations if malicious actors were to succeed in stealing classified information. Meanwhile, businesses that fall prey to cyberespionage attacks might face a decline in customer trust and operational disruptions that in turn lead to financial repercussions.

Given Earth Lusca’s penchant for using email, resorting to social engineering as one of its main avenues of infection, and capitalizing on relevant social and political issues as seen in this campaign, we advise individuals and organizations to adhere to security best practices, such as avoiding clicking on suspicious email and website links and updating software in a timely manner to minimize the chances of falling victim to an Earth Lusca attack

MITRE ATT&CK techniques

Below listed techniques are subset of MITRE ATT&CK list..

Leave a Reply

Your email address will not be published. Required fields are marked *