A new threat actor, dubbed Earth Lusca, has been observed attacking high-value targets across the world, according to recently released research. Earth Lusca has been seen attacking various types of organizations, such as government and educational institutions, religious movements, human rights organizations, and COVID-19 research centers. Earth Lusca is believed to be part of the larger Winnti threat group, a China-based threat actor that is comprised of a number of linked groups as opposed to a single discrete entity.
Earth Lusca’s main infection vectors include spear-phishing and watering hole attacks, as well as leveraging well-known vulnerabilities in public-facing applications. Earth Lusca has been seen exploiting the Microsoft Exchange vulnerability known as ProxyShell, as well as multiple vulnerabilities against Oracle’s GlassFish software. After successful infection from either of these methods, Earth Lusca has been observed dropping Cobalt Strike payloads as the primary method of maintaining a foothold on the device and performing post-exploitation activity. In addition to Cobalt Strike, Earth Lusca has been seen deploying Doraemon, ShadowPad, and Winnti malware, as well as cryptocurrency miners in some cases.
An investigation into the organizations targeted by Earth Lusca reveal that the victim entities may be of strategic interest to the Chinese government. The motivations behind the Earth Lusca threat group are believed to be cyberespionage and financial gain.