LuminousMoth
LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1557 | .002 | Adversary-in-the-Middle: ARP Cache Poisoning |
LuminousMoth has used ARP spoofing to redirect a compromised machine to an actor-controlled website.[2] |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
LuminousMoth has used HTTP for C2.[1] |
| Enterprise | T1560 | Archive Collected Data |
LuminousMoth has manually archived stolen files from victim machines before exfiltration.[2] |
|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
LuminousMoth has used malicious DLLs that setup persistence in the Registry Key |
| Enterprise | T1005 | Data from Local System |
LuminousMoth has collected files and data from compromised machines.[1][2] |
|
| Enterprise | T1030 | Data Transfer Size Limits |
LuminousMoth has split archived files into multiple parts to bypass a 5MB limit.[2] |
|
| Enterprise | T1587 | .001 | Develop Capabilities: Malware |
LuminousMoth has used unique malware for information theft and exfiltration.[1][2] |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
LuminousMoth has used malware that exfiltrates stolen data to its C2 server.[1] |
|
| Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
LuminousMoth has exfiltrated data to Google Drive.[2] |
| Enterprise | T1083 | File and Directory Discovery |
LuminousMoth has used malware that scans for files in the Documents, Desktop, and Download folders and in other drives.[1][2] |
|
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
LuminousMoth has used malware to store malicious binaries in hidden directories on victim's USB drives.[1] |
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL |
LuminousMoth has used legitimate executables such as |
| Enterprise | T1105 | Ingress Tool Transfer |
LuminousMoth has downloaded additional malware and tools onto a compromised host.[1][2] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
LuminousMoth has disguised their exfiltration malware as |
| Enterprise | T1112 | Modify Registry |
LuminousMoth has used malware that adds Registry keys for persistence.[1][2] |
|
| Enterprise | T1588 | .001 | Obtain Capabilities: Malware |
LuminousMoth has obtained and used malware such as Cobalt Strike.[1][2] |
| .002 | Obtain Capabilities: Tool |
LuminousMoth has obtained an ARP spoofing tool from GitHub.[2] |
||
| .004 | Obtain Capabilities: Digital Certificates |
LuminousMoth has used a valid digital certificate for some of their malware.[1] |
||
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
LuminousMoth has sent spearphishing emails containing a malicious Dropbox download link.[1] |
| Enterprise | T1091 | Replication Through Removable Media |
LuminousMoth has used malicious DLLs to spread malware to connected removable USB drives on infected machines.[1][2] |
|
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
LuminousMoth has created scheduled tasks to establish persistence for their tools.[2] |
| Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
LuminousMoth has hosted malicious payloads on Dropbox.[1] |
| .004 | Stage Capabilities: Drive-by Target |
LuminousMoth has redirected compromised machines to an actor-controlled webpage through HTML injection.[2] |
||
| .005 | Stage Capabilities: Link Target |
LuminousMoth has created a link to a Dropbox file that has been used in their spear-phishing operations.[1] |
||
| Enterprise | T1539 | Steal Web Session Cookie |
LuminousMoth has used an unnamed post-exploitation tool to steal cookies from the Chrome browser.[1] |
|
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
LuminousMoth has signed their malware with a valid digital signature.[1] |
| Enterprise | T1033 | System Owner/User Discovery |
LuminousMoth has used a malicious DLL to collect the username from compromised hosts.[2] |
|
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
LuminousMoth has lured victims into clicking malicious Dropbox download links delivered through spearphishing.[1] |