Earth Lusca
Earth Lusca is an intrusion set which has been observed by Trend Micro since 2021. The group use spear phishing and watering holes to gain initial access to targets and have been observed using the Winnti malware.
The groups targets include government, pro-democracy and human rights organizations in Hong Cong, educational institutions and more, primarily for espionage purposes.
Trend Micro also report instances of the group conducting financially motivated attacks against gambling and cryptocurrency companies.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
Earth Lusca Threat Reports
Earth Lusca Uses Geopolitical Lure to Target Taiwan Before Elections
Blog post from researchers at Trend Micro discussing Earth Lusca and potential links to Chinese contractor I-Soon. Earth Lusca is a China-linked ...
References
go.recordedfuture.com
https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdfwww.trendmicro.com
https://www.trendmicro.com/en_us/research/22/a/earth-lusca-sophisticated-infrastructure-varied-tools-and-techni.htmlwww.trendmicro.com
https://www.trendmicro.com/en_us/research/24/b/earth-lusca-uses-geopolitical-lure-to-target-taiwan.htmlwww.trendmicro.com
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdfMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1564.001 | Hidden Files and Directories | Defense Evasion |
| T1140 | Deobfuscate/Decode Files or Information | Defense Evasion |
| T1083 | File and Directory Discovery | Discovery |
| T1027.012 | LNK Icon Smuggling | Defense Evasion |
| T1001 | Data Obfuscation | Command and Control |
| T1027.009 | Embedded Payloads | Defense Evasion |
| T1059.003 | Windows Command Shell | Execution |
| T1204.001 | Malicious Link | Execution |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1059.007 | JavaScript | Execution |
| T1204.002 | Malicious File | Execution |
| T1036.007 | Double File Extension | Defense Evasion |
| T1573 | Encrypted Channel | Command and Control |
| T1132 | Data Encoding | Command and Control |
| T1027.002 | Software Packing | Defense Evasion |
| T1202 | Indirect Command Execution | Defense Evasion |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |
| T1566.002 | Spearphishing Link | Initial Access |