Earth Lusca | APT Profile

Description

[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022) [Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)

Techniques Used (TTPs)

T1583.006 — Web Services (resource-development)
T1027.003 — Steganography (defense-evasion)
T1608.001 — Upload Malware (resource-development)
T1098.004 — SSH Authorized Keys (persistence, privilege-escalation)
T1003.006 — DCSync (credential-access)
T1059.005 — Visual Basic (execution)
T1189 — Drive-by Compromise (initial-access)
T1018 — Remote System Discovery (discovery)
T1584.006 — Web Services (resource-development)
T1059.007 — JavaScript (execution)
T1210 — Exploitation of Remote Services (lateral-movement)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1583.001 — Domains (resource-development)
T1033 — System Owner/User Discovery (discovery)
T1547.012 — Print Processors (persistence, privilege-escalation)
T1059.001 — PowerShell (execution)
T1059.006 — Python (execution)
T1057 — Process Discovery (discovery)
T1053 — Scheduled Task/Job (execution, persistence, privilege-escalation)
T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
T1112 — Modify Registry (defense-evasion, persistence)
T1047 — Windows Management Instrumentation (execution)
T1003.001 — LSASS Memory (credential-access)
T1218.005 — Mshta (defense-evasion)
T1482 — Domain Trust Discovery (discovery)
T1567.002 — Exfiltration to Cloud Storage (exfiltration)
T1548.002 — Bypass User Account Control (privilege-escalation, defense-evasion)
T1588.002 — Tool (resource-development)
T1007 — System Service Discovery (discovery)
T1204.002 — Malicious File (execution)
T1190 — Exploit Public-Facing Application (initial-access)
T1090 — Proxy (command-and-control)
T1027 — Obfuscated Files or Information (defense-evasion)
T1543.003 — Windows Service (persistence, privilege-escalation)
T1566.002 — Spearphishing Link (initial-access)
T1560.001 — Archive via Utility (collection)
T1583.004 — Server (resource-development)
T1049 — System Network Connections Discovery (discovery)
T1595.002 — Vulnerability Scanning (reconnaissance)
T1016 — System Network Configuration Discovery (discovery)
T1588.001 — Malware (resource-development)
T1584.004 — Server (resource-development)
T1204.001 — Malicious Link (execution)

Total TTPs: 44

Malware & Tools

Malware: Cobalt Strike, ShadowPad, Winnti for Linux

Tools: Mimikatz, NBTscan, Nltest, PowerSploit, Tasklist, certutil

← Return to Home ← Back to APT Search