An advanced persistent threat (APT) campaign called LuminousMoth, attributed to the Chinese-speaking threat group HoneyMyte, is targeting the Philippines. Kaspersky, a global cybersecurity and digital privacy company, identified 100 victims in Myanmar and 1,400 in the Philippines, some of which are government entities.
APTs are sophisticated, long-term, and multi-staged attacks, usually carried out by nation-state groups or well-organized criminal enterprises. Like other attackers, APT groups try to steal data, disrupt operations, or destroy infrastructure, according to FireEye, a California-based cybersecurity company. Unlike most cybercriminals, APT attackers pursue their objectives over months or years, adapt to cyber defenses, and frequently retarget the same victim.
“It is hard to tell the actual reason for going after these countries in particular but, given the nature of the campaign, we assess that the targets in both Myanmar and the Philippines have some strategic significance for the attackers which would require collecting intelligence from entities within them,” Mark Lechtik, senior security researcher from Kaspersky’s Global Research & Analysis Team (GReAT), told BusinessWorld in an e-mail interview.
“The massive scale of the attack is quite rare. It’s also interesting that we’ve seen far more attacks in the Philippines than in Myanmar,” added Aseel Kayal, a security researcher at GReAT, in a press statement. “This could be due to the use of USB drives as a spreading mechanism, or there could be yet another infection vector that we’re not yet aware of being used in the Philippines.”
The company declined to comment on the identities of these government targets.
The initial infection occurs via e-mails that carry out spear-phishing (socially engineered scams that trick users to share information). These e-mails contain a Dropbox link that, once clicked, downloads a RAR archive disguised as a Word document. The downloaded malware then infects other hosts by spreading through removable USB drives (external storage devices that plug into a USB port). It also creates hidden directories within drives, where it then moves all of the victim’s files.
To stay safe from APTs like LuminousMoth, Kaspersky experts recommend:
- Providing your staff with basic cybersecurity hygiene training, as many targeted attacks start with phishing or other social engineering techniques.
- Carrying out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
- Installing anti-APT and EDR solutions, enabling threat discovery and detection, and investigating and remediating incidents capabilities. That –along with proper endpoint protection, dedicated services –can help against high-profile attacks.
“Hidden files ought to be scanned and detected by security products, regardless of [them] not being visible to the user,” said Mr. Lechtik. “Some of the IOCs (Indicators of Compromise) we observed were detected as either suspicious or malicious even before we studied the campaign in depth.”
Mr. Lechtik also advised against plugging in just about any USB device.
“In some cases, the malware was likely delivered through infected USB devices, in which case users had to actually double click a malicious file to launch the attack,” he added. “In those scenarios, I would advise users, primarily those based in government organizations, to refrain from plugging in just about any USB device, and to be cautious and alert to any unknown files that they see in such a device had it been already in use by them.”
LuminousMoth has been conducting cyberespionage attacks against government entities since at least October 2020. While initially focusing their attention on Myanmar, the attackers have since shifted their focus to the Philippines.
The malware the campaign uses also has two post-exploitation tools. One consists of a signed, fake version of Zoom, while the other steals cookies from the Chrome browser.
The only reason for going after Chrome, Mr. Lechtik told BusinessWorld, is “either its popularity among users, or any prior knowledge of the attackers that their targets are using it as a browser.”
Kaspersky attributes LuminousMoth to the HoneyMyte threat group, which it said is primarily interested in gathering geopolitical and economic intelligence in Asia and Africa.
The Philippines is no stranger to APT campaigns. One, as mentioned by FireEye, is the APT23, which stole political and military information from US and Philippine media and government entities through spear phishing messages. Another cyberespionage group allegedly aligned with Vietnamese government interests, the APT32, targeted Philippine government agencies in 2017 to gather intelligence related to the South China Sea maritime dispute.
The different kinds of hackers
There are 11 types of hackers based on their objectives from CSO, a security and risk management research firm. They are:
1. The bank robber – a hacker who targets financial services institutions for financial gain through tools such as ransomware.
2. The nation-state – a group of hackers who steal data for their sponsors, usually nations, which then use these to infiltrate government institutions and/or companies.
3. The corporate spy – a hacker paid to provide classified information such as contracts and business plans to a rival company.
4. The professional hacking group for hire – a group of hackers with different specialties who develop, buy, or steal malware for a fee; they are motivated by financial gain or intellectual property theft.
5. The rogue gamer – a hacker in the gaming industry who steals his/her competitors’ credit caches, or causes anti-competitive distributed denial-of-service attacks (or attacks which overwhelm websites or services with more traffic than the network can accommodate).
6. The cryptojacker – a hacker who hides on a computer or mobile device and uses the machine’s resources to mine cryptocurrency, a form of online money.
7. The hacktivist – a hacker who utilizes technology to announce a social, ideological, religious, or political message.
8. The botnet master – a hacker who creates bots that are used to infect as many computers as possible, which are then used for various agendas.
9. The adware spammer – a hacker who spams a computer with adware, which bombards a victim with pop-ups, but also gathers personal information and records everything the victim types.
10. The thrill hacker – a hacker who wants to demonstrate what he/she can do and is in it for the thrill.
11. The accidental hacker – a hacker with some technical ability but who never intentionally sets out to hack.