A new threat actor, dubbed Earth Lusca, has been observed attacking high-value targets across the world, according to recently released research. Earth Lusca has been seen attacking various types of organizations, such as government and educational institutions, religious movements, human rights organizations, and COVID-19 research centers. Earth Lusca is believed to be part of the larger Winnti threat group, a China-based threat actor that is comprised of a number of linked groups as opposed to a single discrete entity.
Earth Lusca’s main infection vectors include spear-phishing and watering hole attacks, as well as leveraging well-known vulnerabilities in public-facing applications. Earth Lusca has been seen exploiting the Microsoft Exchange vulnerability known as ProxyShell, as well as multiple vulnerabilities against Oracle’s GlassFish software. After successful infection from either of these methods, Earth Lusca has been observed dropping Cobalt Strike payloads as the primary method of maintaining a foothold on the device and performing post-exploitation activity. In addition to Cobalt Strike, Earth Lusca has been seen deploying Doraemon, ShadowPad, and Winnti malware, as well as cryptocurrency miners in some cases.
An investigation into the organizations targeted by Earth Lusca reveal that the victim entities may be of strategic interest to the Chinese government. The motivations behind the Earth Lusca threat group are believed to be cyberespionage and financial gain.
It is highly recommended for organizations to make sure security patches are applied to systems, particularly any public-facing applications, as they are released. In this case, verifying that any Microsoft Exchange deployments have been patched for ProxyShell and any Oracle GlassFish instances are up-to-date would help prevent Earth Lusca from gaining a foothold into the network. Proper user training and e-mail based security controls can also help prevent a threat actor from gaining a foothold into a network via email-based phishing attacks. If a threat actor does establish an initial foothold, it is important to have appropriate EDR and detection capabilities configured for the environment, to help detect or prevent any post-compromise activity that threat actors perform. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with this detection need.