Fake Zoom App Dropped by New APT ‘LuminousMoth’
A suspected Chinese advanced persistent threat (APT) group is spreading malicious Zoom software, seeking to spy on targets in Southeast Asia. The group is referred to as LuminousMoth, and focuses on cyber espionage and information theft from high-profile targets such as governments in Asia. Cybersecurity researchers have detected roughly 100 victims in Myanmar connected to the campaign and nearly 1,400 in the Philippines. The campaign likely originated around or before October 2020, according to researchers. According to researchers at Kaspersky, the new threat actor is seemingly mass-attacking entities in Southeast Asia and later picking just a few targets to attack further with malware and data exfiltration. The campaign is reportedly large-scale and still highly active.
The way that LuminousMoth spreads is also peculiar to researchers as it doesn’t provide for detection evasion as well as other methods. It copies itself to removable USB drives. Kaspersky stated that the high rate of infections is likely due to the spreading mechanism and could be an explanation for why the entity seemingly only goes after specific targets although they have reportedly infiltrated over a thousand devices. The LuminousMoth group shares some network infrastructure similarities with another Chinese hacking group named Mustang Panda. The process ultimately results in the deployment of the Cobalt Strike beacon as a payload.