LuminousMoth APT Goes after Targets in the Philippines and Myanmar

Cybersecurity experts have been tracking a new malware campaign, which targets users in Asia. So far, the criminals behind this operation have been relying on spearphishing emails exclusively. Their campaign has managed to infect over 1,400 victims in the Philippines and about 100 in Myanmar. The criminals, tracked under the alias LuminousMoth APT, might be a sub-division of a larger Advanced Persistent Threat (APT) group active in the region – HoneyMyte. Another recent attack against users and organizations in Myanmar involved the KilllSomeOne Malware.

LuminousMoth APT's Payload Spread Through Hijacked USB Drives

The payload of the hackers is hosted on the Dropbox service, and a link to it is found in the spearphishing emails. The file that recipients end up downloading is a RAR archive that has been disguised to look like a Microsoft Word document. Once running, the malicious implant begins to exfiltrate data to the server of the attackers. It can also spread laterally by planting its payload on connected USB drives. Its other abilities include stealing data from the Google Chrome browser, as well as disguising itself as a version of the popular Zoom app.

The data theft operation, which the LuminousMoth APT executes, is simple – it will scan the hard drive for specific file formats and then transfer them to the attacker's server. It does this periodically and does extra checks to ensure that it will not copy data that already exists. Surprisingly, the browser stealer component is very simplistic, considering the scope of the attack. It only targets Google Chrome, and it only tries to steal cookies instead of other information.

So far, researchers have been unable to pinpoint the reason why the operation seems to be that much more successful in the Philippines compared to Myanmar. LuminousMoth APT's espionage operations, network infrastructure, and other resources overlap significantly with the traits of the HoneyMyte APT.