Campaigns
Earth Lusca

Earth Lusca

ChinaEspionageShadowPad
Earth Lusca is a sophisticated cybercrime group. According to reports from cybersecurity firms. They use a variety of tactics and tools to carry out their attacks, including spear-phishing emails, social engineering, and malware such as remote access trojans (RATs) and credential stealers.

Indicators of Compromise

ipwho.is
valorantcheatsboss.com
tryno.ru
wiwirdo.ac.ug
anaida.evisyn.lol

APT Groups1

Earth LuscaChina
TAG-22RedHotelFishmonger

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

DomainIDNameUse
EnterpriseT1548.002Abuse Elevation Control MechanismBypass User Account Control

Earth Lusca has used the Fodhelper UAC bypass technique to gain elevated privileges.[1]

EnterpriseT1098.004Account ManipulationSSH Authorized Keys

Earth Lusca has dropped an SSH-authorized key in the /root/.ssh folder in order to access a compromised server with SSH.[1]

EnterpriseT1583.001Acquire InfrastructureDomains

Earth Lusca has registered domains, intended to look like legitimate target domains, that have been used in watering hole attacks.[1]

.004Acquire InfrastructureServer

Earth Lusca has acquired multiple servers for some of their operations, using each server for a different role.[1]

.006Acquire InfrastructureWeb Services

Earth Lusca has established GitHub accounts to host their malware.[1]

EnterpriseT1595.002Active ScanningVulnerability Scanning

Earth Lusca has scanned for vulnerabilities in the public-facing servers of their targets.[1]

EnterpriseT1560.001Archive Collected DataArchive via Utility

Earth Lusca has used WinRAR to compress stolen files into an archive prior to exfiltration.[1]

EnterpriseT1547.012Boot or Logon Autostart ExecutionPrint Processors

Earth Lusca has added the Registry key HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\UDPrint" /v Driver /d "spool.dll /f to load malware as a Print Processor.[1]

EnterpriseT1059.001Command and Scripting InterpreterPowerShell

Earth Lusca has used PowerShell to execute commands.[1]

.005Command and Scripting InterpreterVisual Basic

Earth Lusca used VBA scripts.[1]

.006Command and Scripting InterpreterPython

Earth Lusca used Python scripts for port scanning or building reverse shells.[1]

.007Command and Scripting InterpreterJavaScript

Earth Lusca has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations.[1]

EnterpriseT1584.004Compromise InfrastructureServer

Earth Lusca has used compromised web servers as part of their operational infrastructure.[1]

.006Compromise InfrastructureWeb Services

Earth Lusca has compromised Google Drive repositories.[1]

EnterpriseT1543.003Create or Modify System ProcessWindows Service

Earth Lusca created a service using the command sc create "SysUpdate" binpath= "cmd /c start "[file path]""&&sc config "SysUpdate" start= auto&&netstart SysUpdate for persistence.[1]

EnterpriseT1140Deobfuscate/Decode Files or Information

Earth Lusca has used certutil to decode a string into a cabinet file.[1]

EnterpriseT1482Domain Trust Discovery

Earth Lusca has used Nltest to obtain information about domain controllers.[1]

EnterpriseT1189Drive-by Compromise

Earth Lusca has performed watering hole attacks.[1]

EnterpriseT1567.002Exfiltration Over Web ServiceExfiltration to Cloud Storage

Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA.[1]

EnterpriseT1190Exploit Public-Facing Application

Earth Lusca has compromised victims by directly exploiting vulnerabilities of public-facing servers, including those associated with Microsoft Exchange and Oracle GlassFish.[1]

EnterpriseT1210Exploitation of Remote Services

Earth Lusca has used Mimikatz to exploit a domain controller via the ZeroLogon exploit (CVE-2020-1472).[1]

EnterpriseT1574.002Hijack Execution FlowDLL Side-Loading

Earth Lusca has placed a malicious payload in %WINDIR%\SYSTEM32\oci.dll so it would be sideloaded by the MSDTC service.[1]

EnterpriseT1036.005MasqueradingMatch Legitimate Name or Location

Earth Lusca used the command move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.[1]

EnterpriseT1112Modify Registry

Earth Lusca modified the registry using the command reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_SZ /d "[file path]" for persistence.[1]

EnterpriseT1027Obfuscated Files or Information

Earth Lusca used Base64 to encode strings.[1]

.003Steganography

Earth Lusca has used steganography to hide shellcode in a BMP image file.[1]

EnterpriseT1588.001Obtain CapabilitiesMalware

Earth Lusca has acquired and used a variety of malware, including Cobalt Strike.[1]

.002Obtain CapabilitiesTool

Earth Lusca has acquired and used a variety of open source tools.[1]

EnterpriseT1003.001OS Credential DumpingLSASS Memory

Earth Lusca has used ProcDump to obtain the hashes of credentials by dumping the memory of the LSASS process.[1]

.006OS Credential DumpingDCSync

Earth Lusca has used a DCSync command with Mimikatz to retrieve credentials from an exploited controller.[1]

EnterpriseT1566.002PhishingSpearphishing Link

Earth Lusca has sent spearphishing emails to potential targets that contained a malicious link.[1]

EnterpriseT1057Process Discovery

Earth Lusca has used Tasklist to obtain information from a compromised host.[1]

EnterpriseT1090Proxy

Earth Lusca adopted Cloudflare as a proxy for compromised servers.[1]

EnterpriseT1018Remote System Discovery

Earth Lusca used the command powershell "Get-EventLog -LogName security -Newest 500 | where {$_.EventID -eq 4624} | format-list -property * | findstr "Address"" to find the network information of successfully logged-in accounts to discovery addresses of other machines. Earth Lusca has also used multiple scanning tools to discover other machines within the same compromised network.[1]

EnterpriseT1053Scheduled Task/Job

Earth Lusca used the command schtasks /Create /SC ONLOgon /TN WindowsUpdateCheck /TR "[file path]" /ru system for persistence.[1]

EnterpriseT1608.001Stage CapabilitiesUpload Malware

Earth Lusca has staged malware and malicious files on compromised web servers, GitHub, and Google Drive.[1]

EnterpriseT1218.005System Binary Proxy ExecutionMshta

Earth Lusca has used mshta.exe to load an HTA script within a malicious .LNK file.[1]

EnterpriseT1016System Network Configuration Discovery

Earth Lusca used the command ipconfig to obtain information about network configurations.[1]

EnterpriseT1049System Network Connections Discovery

Earth Lusca employed a PowerShell script called RDPConnectionParser to read and filter the Windows event log "Microsoft-Windows-TerminalServices-RDPClient/Operational"(Event ID 1024) to obtain network information from RDP connections. Earth Lusca has also used netstat from a compromised system to obtain network connection information.[1]

EnterpriseT1033System Owner/User Discovery

Earth Lusca collected information on user accounts via the whoami command.[1]

EnterpriseT1007System Service Discovery

Earth Lusca has used Tasklist to obtain information from a compromised host.[1]

EnterpriseT1204.001User ExecutionMalicious Link

Earth Lusca has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader.[1]

.002User ExecutionMalicious File

Earth Lusca required users to click on a malicious file for the loader to activate.[1]

EnterpriseT1047Windows Management Instrumentation

Earth Lusca used a VBA script to execute WMI.[1]

IDNameReferencesTechniques
S0160certutil[1]Deobfuscate/Decode Files or InformationIngress Tool TransferSubvert Trust ControlsInstall Root Certificate
S0154Cobalt Strike[1]Abuse Elevation Control MechanismBypass User Account ControlAbuse Elevation Control MechanismSudo and Sudo CachingAccess Token ManipulationToken Impersonation/TheftAccess Token ManipulationParent PID SpoofingAccess Token ManipulationMake and Impersonate TokenAccount DiscoveryDomain AccountApplication Layer ProtocolWeb ProtocolsApplication Layer ProtocolDNSApplication Layer ProtocolBITS JobsBrowser Session HijackingCommand and Scripting InterpreterVisual BasicCommand and Scripting InterpreterPowerShellCommand and Scripting InterpreterJavaScriptCommand and Scripting InterpreterPythonCommand and Scripting InterpreterWindows Command ShellCreate or Modify System ProcessWindows ServiceData EncodingStandard EncodingData from Local SystemData ObfuscationProtocol ImpersonationData Transfer Size LimitsDeobfuscate/Decode Files or InformationEncrypted ChannelAsymmetric CryptographyEncrypted ChannelSymmetric CryptographyExploitation for Client ExecutionExploitation for Privilege EscalationFile and Directory DiscoveryHide ArtifactsProcess Argument SpoofingImpair DefensesDisable or Modify ToolsIndicator RemovalTimestompIngress Tool TransferInput CaptureKeyloggingModify RegistryMultiband CommunicationNative APINetwork Service DiscoveryNetwork Share DiscoveryNon-Application Layer ProtocolObfuscated Files or InformationObfuscated Files or InformationIndicator Removal from ToolsOffice Application StartupOffice Template MacrosOS Credential DumpingSecurity Account ManagerOS Credential DumpingLSASS MemoryPermission Groups DiscoveryDomain GroupsPermission Groups DiscoveryLocal GroupsProcess DiscoveryProcess InjectionProcess HollowingProcess InjectionDynamic-link Library InjectionProcess InjectionProtocol TunnelingProxyInternal ProxyProxyDomain FrontingQuery RegistryReflective Code LoadingRemote ServicesSSHRemote ServicesSMB/Windows Admin SharesRemote ServicesDistributed Component Object ModelRemote ServicesRemote Desktop ProtocolRemote ServicesWindows Remote ManagementRemote System DiscoveryScheduled TransferScreen CaptureSoftware DiscoverySubvert Trust ControlsCode SigningSystem Binary Proxy ExecutionRundll32System Network Configuration DiscoverySystem Network Connections DiscoverySystem Service DiscoverySystem ServicesService ExecutionUse Alternate Authentication MaterialPass the HashValid AccountsLocal AccountsValid AccountsDomain AccountsWindows Management Instrumentation
S0002Mimikatz[1]Access Token ManipulationSID-History InjectionAccount ManipulationBoot or Logon Autostart ExecutionSecurity Support ProviderCredentials from Password StoresCredentials from Password StoresWindows Credential ManagerCredentials from Password StoresCredentials from Web BrowsersOS Credential DumpingSecurity Account ManagerOS Credential DumpingLSASS MemoryOS Credential DumpingLSA SecretsOS Credential DumpingDCSyncRogue Domain ControllerSteal or Forge Authentication CertificatesSteal or Forge Kerberos TicketsSilver TicketSteal or Forge Kerberos TicketsGolden TicketUnsecured CredentialsPrivate KeysUse Alternate Authentication MaterialPass the TicketUse Alternate Authentication MaterialPass the Hash
S0590NBTscan[1]Network Service DiscoveryNetwork SniffingRemote System DiscoverySystem Network Configuration DiscoverySystem Owner/User Discovery
S0359Nltest[1]Domain Trust DiscoveryRemote System DiscoverySystem Network Configuration Discovery
S0194PowerSploit[1]Access Token ManipulationAccount DiscoveryLocal AccountAudio CaptureBoot or Logon Autostart ExecutionRegistry Run Keys / Startup FolderBoot or Logon Autostart ExecutionSecurity Support ProviderCommand and Scripting InterpreterPowerShellCreate or Modify System ProcessWindows ServiceCredentials from Password StoresWindows Credential ManagerData from Local SystemDomain Trust DiscoveryHijack Execution FlowPath Interception by Unquoted PathHijack Execution FlowPath Interception by PATH Environment VariableHijack Execution FlowPath Interception by Search Order HijackingHijack Execution FlowDLL Search Order HijackingInput CaptureKeyloggingObfuscated Files or InformationIndicator Removal from ToolsObfuscated Files or InformationOS Credential DumpingLSASS MemoryPath InterceptionProcess DiscoveryProcess InjectionDynamic-link Library InjectionQuery RegistryReflective Code LoadingScheduled Task/JobScheduled TaskScreen CaptureSteal or Forge Kerberos TicketsKerberoastingUnsecured CredentialsGroup Policy PreferencesUnsecured CredentialsCredentials in RegistryWindows Management Instrumentation
S0596ShadowPad[1]Application Layer ProtocolFile Transfer ProtocolsApplication Layer ProtocolDNSApplication Layer ProtocolWeb ProtocolsData EncodingNon-Standard EncodingDeobfuscate/Decode Files or InformationDynamic ResolutionDomain Generation AlgorithmsIndicator RemovalIngress Tool TransferModify RegistryNon-Application Layer ProtocolObfuscated Files or InformationProcess DiscoveryProcess InjectionDynamic-link Library InjectionProcess InjectionScheduled TransferSystem Information DiscoverySystem Network Configuration DiscoverySystem Owner/User DiscoverySystem Time Discovery
S0057Tasklist[1]Process DiscoverySoftware DiscoverySecurity Software DiscoverySystem Service Discovery
S0430Winnti for Linux[1]Application Layer ProtocolWeb ProtocolsDeobfuscate/Decode Files or InformationEncrypted ChannelSymmetric CryptographyIngress Tool TransferNon-Application Layer ProtocolObfuscated Files or InformationRootkitTraffic Signaling

Observed Countries14

AE (831)
AU (76)
CN (995)
DE (329)
FR (581)
HK (819)
MN (282)
NG (66)
NP (410)
PH (882)
TH (995)
TW (876)
US (268)
VN (510)