Researchers discovered a new malicious China-based threat group called Earth Lusca, which is described to be spying on strategic targets and performing several financially-motivated attacks for the past couple of years.
Although the group has attacked several industries before, researchers discovered that they originated and operated inside the Chinese territory and are the newest addition to the thorough list of threat groups from China.
Experts believe that Earth Lusca has been recently spying on targets that could contribute and attract the interest of the Chinese government.
With a plan of intelligence and data gathering, the threat actors’ campaign was usually aimed at education, media, COVID-19 research, telecom, religious institutions, and government across multiple nations, including the Philippines, Taiwan, Vietnam, Thailand, Nigeria, Mongolia, UAE, and many more.
Earth Lusca has also conducted several financially motivated campaigns against gambling entities in different cryptocurrency platforms and gambling organisations inside China. Most of their attack strategies and transmitters are standard with another advanced persistent threat group called APT41.
Moreover, in most of Earth Lusca’s attacks, they have utilised a version of Cobalt Strike on infected hosts to distribute additional malware such as Winnti, FunnySwitch, ShadowPad, Behinder, Doraemon, and AntSword.
Cybersecurity researchers analysed the recent campaigns of Earth Lusca and disclosed three attack methods used by the threat actors against their targets.
First, the threat actors abuse unpatched flaws in web applications and public-facing servers. In fewer cases, Earth Lusca also disseminates spear-phishing emails attached with links to malicious websites or files.
Lastly, the threat actors utilise watering hole attacks, where the actors bait the targets to compromised sites to spread the malware to the targeted victims’ systems.
Earth Lusca poses a great threat for many significant industries. The most effective defence against them would be to concentrate on shared threat intelligence and employ competent cybersecurity providers to detect them better.
