With ties to China, the threat actor Earth Lusca initiated a fresh campaign exploiting Chinese-Taiwanese relations as a means of social engineering. The campaign unfolded between December 2023 and January 2024, showcasing the group’s adaptable tactics.
Researchers at Trend Micro detailed the operation, revealing that the attack utilised a lure document focusing on geopolitical issues between China and Taiwan. This document, apparently authentic and pilfered from a Taiwanese geopolitical expert, emerged as the primary vehicle for infection, strategically timed just two days before the Taiwanese national elections.
The Earth Lusca attack chain begins with spear phishing, delivering an archive file named ‘China’s gray zone warfare against Taiwan.7z’ to the targets. The file contains a hidden payload in a _MACOS subfolder, utilising an unconventional approach to conceal the malicious payload.
The _MACOS subfolder, seemingly mimicking the legitimate _MACOSX folder on macOS, contains files with metadata indicating modification on Jan 11, 2024. The LNK files execute JavaScript code stored in the _MACOS folder, initiating a multi-stage infection chain.
The second stage involves obfuscating JavaScript code, utilising Dan Edward’s JavaScript Packer to prevent analysis and detection. The third stage drops a text file to %APPDATA%\Roaming, initiating a living-off-the-land technique to decode a hexadecimal string, leading to the extraction of a cabinet archive. This archive contains decoy files, a signed legitimate executable file, and a malicious DLL library.
The fourth stage introduces a stateless Cobalt Strike payload, demonstrating an elevated level of sophistication in the attacks.
The attribution challenge has been further complicated by a leak implicating I-Soon, raising questions about its involvement in Earth Lusca’s activities.
Researchers were able to link the current attack with a previous attack by I-Soon, known as ‘APT Defense and Research Laboratory.’ They found that the victim list of both attacks was more or less the same. Also, the tools and malware arsenals, including ShadowPad and Winnti, were used in both attacks. Furthermore, the source IP address in Chengdu, Sichuan province, was the same in both attacks.
In September 2023, it was reported that Earth Lusca was targeting high-profile individuals and organisations in Hong Kong, Southeast Asia and other regions.
Cybersecurity experts advised organisations to adopt best practices and urged them not to open suspicious links and regularly update the software.
In the News: MicroStrategy’s X account hacked in a $440,000 crypto scam