LuminousMoth | APT Profile

Description

[LuminousMoth](https://attack.mitre.org/groups/G1014) is a Chinese-speaking cyber espionage group that has been active since at least October 2020. [LuminousMoth](https://attack.mitre.org/groups/G1014) has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between [LuminousMoth](https://attack.mitre.org/groups/G1014) and [Mustang Panda](https://attack.mitre.org/groups/G0129) based on similar targeting and TTPs, as well as network infrastructure overlaps.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)

Techniques Used (TTPs)

T1539 — Steal Web Session Cookie (credential-access)
T1567.002 — Exfiltration to Cloud Storage (exfiltration)
T1566.002 — Spearphishing Link (initial-access)
T1588.001 — Malware (resource-development)
T1030 — Data Transfer Size Limits (exfiltration)
T1564.001 — Hidden Files and Directories (defense-evasion)
T1608.001 — Upload Malware (resource-development)
T1091 — Replication Through Removable Media (lateral-movement, initial-access)
T1041 — Exfiltration Over C2 Channel (exfiltration)
T1608.004 — Drive-by Target (resource-development)
T1608.005 — Link Target (resource-development)
T1587.001 — Malware (resource-development)
T1071.001 — Web Protocols (command-and-control)
T1105 — Ingress Tool Transfer (command-and-control)
T1557.002 — ARP Cache Poisoning (credential-access, collection)
T1588.002 — Tool (resource-development)
T1005 — Data from Local System (collection)
T1204.001 — Malicious Link (execution)
T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1083 — File and Directory Discovery (discovery)
T1033 — System Owner/User Discovery (discovery)
T1560 — Archive Collected Data (collection)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1112 — Modify Registry (defense-evasion, persistence)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1588.004 — Digital Certificates (resource-development)
T1553.002 — Code Signing (defense-evasion)

Total TTPs: 28

Malware & Tools

Malware: Cobalt Strike, PlugX

← Return to Home ← Back to APT Search