wonderfully unique software solutions

Kaspersky: Luminous Moth under microscope as USB and Zoom threat

Kaspersky, vendor of Kaspersky Total Security, has profiled the so-called Luminous Moth advanced persistent threat to USB drives and Zoom users in its regular threat intelligence report.

According to Kaspersky‘s Mark Lechtik, Paul Rascagneres and Aseel Kayal, the Luminous Moth attacks represents a precise yet sweeping high-volume attack on a chosen few.

“Most notably though, we observed the capability of the culprit to spread to other hosts through the use of USB drives,” they write.

“In some cases, this was followed by deployment of a signed, but fake version of the popular application Zoom, which was in fact malware enabling the attackers to exfiltrate files from the compromised systems.”

According to Kaspersky, the “sheer volume” of the attacks may be caused by a rapid replication through removable devices or by an unknown infection vector such as a watering hole or another kind of supply chain attack.

Watering hole attacks operate by identifying a website frequented by users within an organisation or even an entire sector, such as defence, government or healthcare, that the malicious actor wishes to target.

Kaspersky’s Mark Lechtik, Paul Rascagneres and Aseel Kayal write that a set of targets can be handpicked with almost surgical precision. Infection vectors, malicious implants and payloads can be tailored to victim identities or environments.

“It’s not often we observe a large-scale attack conducted by actors fitting this profile, usually due to such attacks being noisy, and thus putting the underlying operation at risk of being compromised by security products or researchers,” they explain.

Kaspersky has observed Luminous Moth attacks originating in South-East Asia as far back as October 2020, with most early sightings in Myanmar but tending more now to come from the Philippines, where there are “now more than ten times as many known targets”.

An attack could begin with a spear-phishing email including access to a Dropbox download. This link, in observed instances, leads to a malicious .RAR archive disguised as a Microsoft Word document. It can then attempt to spread via removable USB drives via, for example, Microsoft Silverlight executable sllauncher.exe, or wwlib.dll.

Luminous Moth has an affinity with the HoneyMyte/Mustang Panda group of threats.

“In fact, our colleagues at ESET and Avast recently assessed that HoneyMyte was active in the same region. The proximity in time and common occurrence in Myanmar of both campaigns could suggest that various tactics, techniques and procedures (TTPs) of HoneyMyte may have been borrowed for the activity of Luminous Moth.”

The blog post goes on to profile many more specifics of Luminous Moth, including its infection chain and toolset.

( Photo by James Wainscoat on Unsplash )

Recent Articles

SCORM compliance and why it matters for e-learning

Learning management systems (LMS) and e-training content that comply with the Shareable Content Object Reference Model (SCORM) help ensure consistency across corporate...

LastPass signs new CIO for passwordless innovation versus AI threat

Password management software vendor LastPass has hired a new chief information officer (CIO) to drive sales, anticipating demand in line with potential...

Miro rolls out Enterprise Guard to solve puzzle of compliant visual collaboration

Digital whiteboard software company Miro has unveiled a security and compliance layer for organisations using its software for teams working collaboratively, especially...

How Stormshield IPsec protects customers via Diffusion Restreinte

Civilian companies can benefit from adoption of cybersecurity with the French government's 'Diffusion Restreinte' label, not just military and government organisations or...

GFI seeks to grow MSP opportunity in expanded EMEA channel

GFI Software has been ramping up its marketing around the managed services provider (MSP) opportunity, building out its channel, developing its offerings...

Related Stories

Leave A Reply

Please enter your comment!
Please enter your name here

Weirdware monthly - Get the latest news in your inbox