Firm uncovers Chinese 'wide-scale' malware campaign vs Filipino internet users, gov't


Posted at Jul 14 2021 08:57 PM

MANILA — Cybersecurity experts have uncovered a "rare, wide-scale" advanced persistent threat (APT) drive by Chinese "actors" against internet users in Southeast Asia, particularly in the Philippines.

Cybersecurity firm Kaspersky, in its report released Wednesday, said it identified 100 victims in Myanmar and 1,400 in the Philippines, including government entities, that have fallen prey to spear-phishing emails containing malicious Word documents.

According to Kaspersky, after users download the malicious file on one system, malware can spread to other hosts through removable USB drives

The firm said APT campaigns usually target a few dozen users, but the recent discovery of such threats in Southeast Asia was extraordinary.

"This cluster of activity — dubbed LuminousMoth — has been conducting cyberespionage attacks against government entities since at least October 2020. While initially focusing their attention on Myanmar, the attackers have since shifted their focus to the Philippines," Kaspersky said.

According to Aseel Kayal, a researcher of the Global Research and Analysis Team Security group, the shift of focus could be due to use of USB drives as spreading tools, or an infection vector that "we’re not yet aware of being used in the Philippines."

Kaspersky noted attackers usually use spear-phishing emails to "gain an initial foothold in the system."

"Once clicked, this link downloads a RAR archive disguised as a Word document that contains the malicious payload," it said.

The LuminousMoth then will try to infect other hosts through removable USB drives or other portable drives.

"If a drive is found, the malware creates hidden directories on the drive, where it then moves all of the victim’s files, along with the malicious executables," it said.

The cyber infection uses a bogus version of Zoom and another steals cookies from the Chrome browser before the malware withdraws data to the command and control (C2) server, the firm explained.

"For the targets in Myanmar, these C2 servers were often domains that impersonated known news outlets," Kaspersky said.

Its experts pinned the malicious activity on a group called "HoneyMyte", which the firm said was a "well-known, long-standing, Chinese-speaking threat actor, with medium to high confidence."

"HoneyMyte is primarily interested in gathering geopolitical and economic intelligence in Asia and Africa," Kaspersky said.

Mark Lechtik, senior security researcher with the Global Research and Analysis Team, said the recent APT discovery in Southeast Asia points to a trend of Chinese hackers producing new and unknown malware.

“We’re seeing increased activity by Chinese-speaking threat actors this past year, and this most likely won’t be the last of LuminousMoth. In addition, there’s a high chance the group will begin to further sharpen its toolset. We’ll be keeping an eye out for any future developments,” said Paul Rascagneres, a GReAT senior security researcher.

Last month, the Philippine Institute of Cyber Security Professionals (PICSPro) urged government to train new cybersecurity experts and upskill current practitioners as threats escalate and expertise remains "disproportionately inadequate."

Costs of ransomware attacks on Philippine firms have risen by 42 percent compared to 30 percent last year, PICSPro said, citing a UK-based study.


Watch more on iWantTFC