Cybersecurity firm detects Chinese-speaking malware attacking Philippine gov’t entities, users

July 19, 2021 - 8:00 PM
A man types on a computer keyboard in front of the displayed cyber code in this illustration picture taken March 1, 2017. Reuters/Kacper Pempel/Illustration/File Photo

Cybersecurity experts have detected a “rare and wide-scale” advanced persistent threat (APT) drive by Chinese “actors” against users in Southeast Asia, especially in the Philippines and Myanmar. 

A report by cybersecurity firm Kaspersky said that the attacks have targeted 100 victims in Myanmar and 1,400 in the Philippines, including government entities, that have been infected with spear-phishing emails containing a malicious Word document.

Once downloaded in the system, the malware spreads to other hosts through removable Universal Serial Bus (USB) drives.

The company noted that APT campaigns usually hit a few dozen users. However, the recent finding of these threats in the region was unusual.

Since October 2020, the cluster of activity dubbed LuminousMoth has been “conducting cyberespionage attacks against government entities.”

While initially focusing their attention on Myanmar, the tech firm said the attackers have shifted their focus to the Philippines.

Aseel Kayal, a researcher of the Global Research and Analysis Team Security group, stressed that this stems from the use of USB drives as spreading tools or an infection vector that “we are not yet aware of being used in the Philippines.”

The attackers typically “gain an initial foothold in the system through a spear-phishing email with a Dropbox download link.”

“Once clicked, this link downloads a RAR archive disguised as a Word document that contains the malicious payload,” it said.

The LuminousMoth attempts to infect others hosts through removable USB drives.

“If a drive is found, the malware creates hidden directories on the drive, where it then moves all of the victim’s files, along with the malicious executables,” it added.

Kasperksy warned that the malware also has two post-exploitation tools that can in turn be used for lateral movement.

“One consists of a signed, fake version of Zoom and another steals cookies from the Chrome browser. Once on the device, LuminousMoth proceeds to exfiltrate data to the command and control (C2) server,” the cybersecurity firm said.

“For the targets in Myanmar, these C2 servers were often domains that impersonated known news outlets,” it added.

Kaspersky experts attribute LuminousMoth to the HoneyMyte threat group, which it said refers to a “well-known, long-standing, Chinese-speaking threat actor, with medium to high confidence.”

“HoneyMyte is primarily interested in gathering geopolitical and economic intelligence in Asia and Africa,” it said.

Mark Lechtik, senior security researcher with the Global Research and Analysis Team, said the recent APT discovery in Southeast Asia indicates a trend of Chinese hackers forming new and unknown malicious activity

“The massive scale of the attack is quite rare. It’s also interesting that we’ve seen far more attacks in the Philippines than in Myanmar,” Lechtik said.

Paul Rascagneres, senior security researcher with Kaspersky’s Global Research and Analysis Team, said the firm will monitor any developments of the malware.

“We’re seeing increased activity by Chinese-speaking threat actors this past year, and this most likely won’t be the last of LuminousMoth. In addition, there’s a high chance the group will begin to further sharpen its toolset. We’ll be keeping an eye out for any future developments,” Rascagneres said.

The cybersecurity firm urged internet users to follow basic cybersecurity hygiene training, cybersecurity audits of networks, and the installation of anti-APT solutions.

The Philippine Institute of Cyber Security Professionals called on the government to train new cybersecurity professionals as threats intensify and expertise stays “disproportionately inadequate.”

In Kaspersky’s 2020 Security Network report, the Philippines ranked 6th in the global list of countries with the most web threats recorded.