An unidentified threat actor named Earth Lusca was observed attacking organizations around the globe as part of what seems to be both an espionage operation and an attempt at monetary profit.
“The list of its victims includes high-value targets such as government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, COVID-19 research organizations, and the media, amongst others,” Trend Micro researchers said in a new report. “However, the threat actor also seems to be financially motivated, as it also took aim at gambling and cryptocurrency companies.
The cybersecurity company attributed this group to the larger China-based Winnti Cluster ,, which refers more to multiple linked entities than one entity and is focused on intellectual property theft and intelligence gathering.
Earth Lusca’s intrusion routes are facilitated by spear-phishing and watering hole attacks, while also leveraging vulnerabilities in public-facing applications, such as Microsoft Exchange ProxyShell and Oracle GlassFish Server exploits, as an attack vector.
The infection chains lead to the deployment of Cobalt Strike, alongside a variety of additional malware such as Doraemon, ShadowPad, Winnti, FunnySwitch, and web shells like AntSword and Behinder.
Cobalt Strike, a fully-featured intruder suite was originally created for remote access and penetration testing by red teams. It has been a popular tool in the arsenal of threat actors and is now the main way to turn a foothold into an intrusion.
Interestingly, while the attacks also involve installing cryptocurrency miners on infected hosts, the researchers pointed out that “the revenue earned from the mining activities seem low. “
Telemetry data gathered by Trend Micro reveal that Earth Lusca staged attacks against entities that could be of strategic interest to the Chinese government, including —
- Gambling companies in Mainland China
- Government institutions in Taiwan, Thailand, Philippines, Vietnam, United Arab Emirates, Mongolia, and Nigeria
- Educational institutions in Taiwan, Hong Kong, Japan, and France
- News media in Taiwan, Hong Kong, Australia, Germany, and France
- Pro-democracy and human rights political organizations and movements in Hong Kong
- COVID-19 research organizations in the U.S.
- Telecom companies in Nepal
- Religious movements that are banned in Mainland China, and
- Various cryptocurrency trading platforms
“Evidence points to Earth Lusca being a highly-skilled and dangerous threat actor mainly motivated by cyberespionage and financial gain. Researchers said that the group still relies on traditional techniques to trap a target.
” While this technique has many advantages, it is also a good way to prevent clicking on unsolicited email/website links, and update important applications that are public. This can reduce or stop an Earth Lusca attack. “