Since 2019, a threat actor dubbed “Earth Lusca” has successfully targeted dozens of organizations worldwide in large cyberespionage campaigns. Some of their targets are governments, educational institutions, media companies, covid-19 research organizations,
amongst others.In those attack campaigns, the infamous Winnti and ShadowPad malware were frequently used and mislead the research community because of overlaps with other threat actors such as APT41.Yet we have been able to identify with high confidence an independent infrastructure and different TTPs and could attribute those campaigns to Earth Lusca.
Earth Lusca targeted victims via spear-phishing emails, watering-hole tactics and web server compromises. The threat actor built their infrastructure with both rented VPS servers and compromised web servers for scanning public facing servers, hosting malicious payload and C&C communication. Cobalt Strike was found to be the most used backdoor at the initial stage of their attacks. Various hacking tools and custom malwares were leveraged to maintain their access to compromised environment and conduct lateral movement.
In this talk, we will share the details of Earth Lusca’s operation which include analyzing their infrastructure, disassembling their attack payload, and showing diverse techniques they performed during lateral movement and data exfiltration.