LuminousMoth

LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.[1][2]

ID: G1014
Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet; Zaw Min Htun, @Z3TAE
Version: 1.0
Created: 23 February 2023
Last Modified: 17 April 2023

Techniques Used

Domain ID Name Use
Enterprise T1557 .002 Adversary-in-the-Middle: ARP Cache Poisoning

LuminousMoth has used ARP spoofing to redirect a compromised machine to an actor-controlled website.[2]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

LuminousMoth has used HTTP for C2.[1]

Enterprise T1560 Archive Collected Data

LuminousMoth has manually archived stolen files from victim machines before exfiltration.[2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

LuminousMoth has used malicious DLLs that setup persistence in the Registry Key HKCU\Software\Microsoft\Windows\Current Version\Run.[1][2]

Enterprise T1005 Data from Local System

LuminousMoth has collected files and data from compromised machines.[1][2]

Enterprise T1030 Data Transfer Size Limits

LuminousMoth has split archived files into multiple parts to bypass a 5MB limit.[2]

Enterprise T1587 .001 Develop Capabilities: Malware

LuminousMoth has used unique malware for information theft and exfiltration.[1][2]

Enterprise T1041 Exfiltration Over C2 Channel

LuminousMoth has used malware that exfiltrates stolen data to its C2 server.[1]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

LuminousMoth has exfiltrated data to Google Drive.[2]

Enterprise T1083 File and Directory Discovery

LuminousMoth has used malware that scans for files in the Documents, Desktop, and Download folders and in other drives.[1][2]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

LuminousMoth has used malware to store malicious binaries in hidden directories on victim's USB drives.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

LuminousMoth has used legitimate executables such as winword.exe and igfxem.exe to side-load their malware.[1][2]

Enterprise T1105 Ingress Tool Transfer

LuminousMoth has downloaded additional malware and tools onto a compromised host.[1][2]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

LuminousMoth has disguised their exfiltration malware as ZoomVideoApp.exe.[1]

Enterprise T1112 Modify Registry

LuminousMoth has used malware that adds Registry keys for persistence.[1][2]

Enterprise T1588 .001 Obtain Capabilities: Malware

LuminousMoth has obtained and used malware such as Cobalt Strike.[1][2]

.002 Obtain Capabilities: Tool

LuminousMoth has obtained an ARP spoofing tool from GitHub.[2]

.004 Obtain Capabilities: Digital Certificates

LuminousMoth has used a valid digital certificate for some of their malware.[1]

Enterprise T1566 .002 Phishing: Spearphishing Link

LuminousMoth has sent spearphishing emails containing a malicious Dropbox download link.[1]

Enterprise T1091 Replication Through Removable Media

LuminousMoth has used malicious DLLs to spread malware to connected removable USB drives on infected machines.[1][2]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

LuminousMoth has created scheduled tasks to establish persistence for their tools.[2]

Enterprise T1608 .001 Stage Capabilities: Upload Malware

LuminousMoth has hosted malicious payloads on Dropbox.[1]

.004 Stage Capabilities: Drive-by Target

LuminousMoth has redirected compromised machines to an actor-controlled webpage through HTML injection.[2]

.005 Stage Capabilities: Link Target

LuminousMoth has created a link to a Dropbox file that has been used in their spear-phishing operations.[1]

Enterprise T1539 Steal Web Session Cookie

LuminousMoth has used an unnamed post-exploitation tool to steal cookies from the Chrome browser.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

LuminousMoth has signed their malware with a valid digital signature.[1]

Enterprise T1033 System Owner/User Discovery

LuminousMoth has used a malicious DLL to collect the username from compromised hosts.[2]

Enterprise T1204 .001 User Execution: Malicious Link

LuminousMoth has lured victims into clicking malicious Dropbox download links delivered through spearphishing.[1]

Software

ID Name References Techniques
S0154 Cobalt Strike [1][2] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0013 PlugX [1][2] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL Side-Loading, Hijack Execution Flow: DLL Search Order Hijacking, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver

References