1. Homepage
  2. Equities
  3. Japan
  4. Japan Exchange
  5. Trend Micro
  6. News
  7. Summary
    4704   JP3637300009


Delayed Japan Exchange  -  05/27 02:00:00 am EDT
7480.00 JPY   +0.27%
05/25Trend Micro Incorporated Creates Dedicated US Federal Business Unit
05/16Cyber professionals gathered at Helsinki Expo and Convention Centre after a three years' break
04/25TREND MICRO : New Partner Bit Discovery Helps TM with Attack Surface
SummaryMost relevantAll NewsOther languagesPress ReleasesOfficial PublicationsSector news

Trend Micro : Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques

01/17/2022 | 07:35am EDT

Since mid-2021, we have been investigating a rather elusive threat actor called Earth Lusca that targets organizations globally via a campaign that uses traditional social engineering techniques such as spear phishing and watering holes. The group's primary motivation seems to be cyberespionage: the list of its victims includes high value targets such as government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, Covid-19 research organizations, and the media, among others. However, the threat actor also seems to be financially motivated, as it also took aim at gambling and cryptocurrency companies.

Previous research into the group's activities attributed it to other threat actors such as the Winnti group due to the use of malware such as Winnti, but despite some similarities, we consider Earth Lusca a separate threat actor (we do have evidence, however, that the group is part of the "Winnti cluster," which is comprised of different groups with the same origin country and share aspects of their TTPs).

The technical brief provides an in-depth look at Earth Lusca's activities, the tools it employs in attacks, and the infrastructure it uses.

Infrastructure and operating model

Earth Lusca's infrastructure can essentially be grouped into two "clusters." The first cluster is built using virtual private servers (VPS), rented from a service provider, that are used for the group's watering hole and spear phishing operations, in addition to acting as a command-and-control (C&C) server for malware.

The second cluster is made up of compromised servers running old, open-source versions of Oracle GlassFish Server. Interestingly, this second cluster performs a different role in an Earth Lusca attack - it acts as a scanning tool that searches for vulnerabilities in public-facing servers and builds traffic tunnels within the target's network. Like the first cluster, it also serves as a C&C server, this time for Cobalt Strike.

It's possible that the group used portions of its infrastructure (particularly the scanning aspects) for diversion in order to trick security staff into focusing on the wrong parts of the network.

Figure 1. An overview of Earth Lusca's infrastructure
Social Engineering and Vulnerability Exploitation techniques

The group has three primary attack vectors, two of which involve social engineering. The social engineering techniques can be broken down into spear phishing emails and watering hole websites.

Our telemetry data shows Earth Lusca sending spear phishing emails containing malicious links to one of their targets - a media company. These links contain files that are disguised either as documents that would be of interest to the potential target, or as opinion forms allegedly coming from another media organization. The user eventually downloads an archive file containing either a malicious LNK file or an executable - eventually leading to a Cobalt Strike loader.

In addition to spear phishing emails, Earth Lusca also made use of watering hole websites - they either compromised websites of their targets or set up fake web pages copied from legitimate websites and then injected malicious JavaScript code inside them. These links to these websites are then sent to their victims (although we were not able definitively pinpoint how this was done).

In one incident, the group injected a malicious script into the compromised HR system of a target organization. This script was designed to show a social engineering message - typically a Flash update popup or a DNS error (note that Adobe discontinued Flash Player at the end of December 2020) that then instructed the visitor to download a malicious file that turned out to be a Cobalt Strike loader.

Figure 2. Fake installation pop-up

The third attack vector used by Earth Lusca is the exploitation of vulnerabilities that exist in the public-facing applications - such as Microsoft Exchange ProxyShell and Oracle GlassFish - of its targets. Once these are accomplished, Earth Lusca is free to perform its post-exploitation routines that include installation of tools such as Cobalt Strike and Acunetix (we discuss the post-exploitation routines in detail in the technical brief).

Malware used by Earth Lusca

Earth Lusca employs several malware and other hacking tools in its arsenal. A common theme we've seen in its attack vectors is the use of CobaltStrike loaders - and indeed, Cobalt Strike is one of the group's preferred tools due to its wide range of post-exploitation capabilities. In this case, the Cobalt Strike shellcode that is dropped into the target system is encoded via XOR along with a corresponding key.

In addition to Cobalt Strike, Earth Lusca also uses malware such as Doraemon, a backdoor named after Japanese manga that has two C&C settings: a primary one for one for IP or DNS, and a public website URL containing encrypted or clear text C&C IP addresses that is used for persistence.

The group employs well-known malware such as ShadowPad and Winnti, as well as other tools such as cryptocurrency miners as part of its operations. A more comprehensive list of these malware and tools are found in the technical brief.

Security best practices can help defend against Earth Lusca attacks

Evidence points to Earth Lusca being a highly-skilled and dangerous threat actor mainly motivated by cyberespionage and financial gain. However, the group still primarily relies on tried-and-true techniques to entrap a target. While this has its advantages (the techniques have already proven to be effective), it also means that security best practices, such as avoiding clicking on suspicious email/website links and updating important public-facing applications, can minimize the impact - or even stop - an Earth Lusca attack.

Read our technical brief to learn more about Earth Lusca and its activities.


Trend Micro Inc. published this content on 17 January 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 17 January 2022 12:34:03 UTC.

© Publicnow 2022
All news about TREND MICRO
05/25Trend Micro Incorporated Creates Dedicated US Federal Business Unit
05/16Cyber professionals gathered at Helsinki Expo and Convention Centre after a three years..
04/25TREND MICRO : New Partner Bit Discovery Helps TM with Attack Surface
04/25Trend Micro Announces the Launch of Trend Micro One, a Unified Cybersecurity Platform
04/24TREND MICRO : How to better manage your digital attack surface risk
04/20TREND MICRO : Spring4Shell Vulnerability CVE-2022-22965 Exploited to Deploy Cryptocurrency..
04/19CRITICALLY UNDERRATED : Studying the Data Distribution Service (DDS) Protocol
04/18TREND MICRO : An Investigation of the BlackCat Ransomware via Trend Micro Vision One
04/18CYBER RISK INDEX (2H' 2021) : An Assessment for Security Leaders
04/13OT cybersecurity provider TXOne Networks expands its presence in Europe
More news
Sales 2022 208 B 1 634 M 1 634 M
Net income 2022 31 893 M 251 M 251 M
Net cash 2022 213 B 1 674 M 1 674 M
P/E ratio 2022 32,6x
Yield 2022 2,19%
Capitalization 1 044 B 8 211 M 8 211 M
EV / Sales 2022 4,00x
EV / Sales 2023 3,67x
Nbr of Employees 7 024
Free-Float 94,6%
Duration : Period :
Trend Micro Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends TREND MICRO
Short TermMid-TermLong Term
Income Statement Evolution
Mean consensus HOLD
Number of Analysts 12
Last Close Price 7 480,00 JPY
Average target price 7 150,00 JPY
Spread / Average Target -4,41%
EPS Revisions
Managers and Directors
Yi Fen Chen Auditor
Mahendra Negi Group CFO, COO & Representative Director
Ming Jang Chang Representative Director
Oscar Chang Executive Vice President-Research & Development
Max Cheng Chief Information Officer & Executive VP
Sector and Competitors
1st jan.Capi. (M$)
TREND MICRO17.06%8 211
SYNOPSYS INC.-12.36%49 403
SEA LIMITED-62.96%46 380