Skip to content

G1006 Earth Lusca

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated.1

Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca‘s techniques and infrastructure are separate.1

Item Value
ID G1006
Associated Names TAG-22
Version 1.0
Created 01 July 2022
Last Modified 17 October 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
TAG-22 2

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Earth Lusca has used the Fodhelper UAC bypass technique to gain elevated privileges.1
enterprise T1098 Account Manipulation -
enterprise T1098.004 SSH Authorized Keys Earth Lusca has dropped an SSH-authorized key in the /root/.ssh folder in order to access a compromised server with SSH.1
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Earth Lusca has registered domains, intended to look like legitimate target domains, that have been used in watering hole attacks.1
enterprise T1583.004 Server Earth Lusca has acquired multiple servers for some of their operations, using each server for a different role.1
enterprise T1583.006 Web Services Earth Lusca has established GitHub accounts to host their malware.1
enterprise T1595 Active Scanning -
enterprise T1595.002 Vulnerability Scanning Earth Lusca has scanned for vulnerabilities in the public-facing servers of their targets.1
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Earth Lusca has used WinRAR to compress stolen files into an archive prior to exfiltration.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.012 Print Processors Earth Lusca has added the Registry key HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\UDPrint” /v Driver /d “spool.dll /f to load malware as a Print Processor.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Earth Lusca has used PowerShell to execute commands.1
enterprise T1059.005 Visual Basic Earth Lusca used VBA scripts.1
enterprise T1059.006 Python Earth Lusca used Python scripts for port scanning or building reverse shells.1
enterprise T1059.007 JavaScript Earth Lusca has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations.1
enterprise T1584 Compromise Infrastructure -
enterprise T1584.004 Server Earth Lusca has used compromised web servers as part of their operational infrastructure.1
enterprise T1584.006 Web Services Earth Lusca has compromised Google Drive repositories.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Earth Lusca created a service using the command sc create “SysUpdate” binpath= “cmd /c start “[file path]””&&sc config “SysUpdate” start= auto&&net
start SysUpdate for persistence.1
enterprise T1140 Deobfuscate/Decode Files or Information Earth Lusca has used certutil to decode a string into a cabinet file.1
enterprise T1482 Domain Trust Discovery Earth Lusca has used Nltest to obtain information about domain controllers.1
enterprise T1189 Drive-by Compromise Earth Lusca has performed watering hole attacks.1
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA.1
enterprise T1190 Exploit Public-Facing Application Earth Lusca has compromised victims by directly exploiting vulnerabilities of public-facing servers, including those associated with Microsoft Exchange and Oracle GlassFish.1
enterprise T1210 Exploitation of Remote Services Earth Lusca has used Mimikatz to exploit a domain controller via the ZeroLogon exploit (CVE-2020-1472).1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Earth Lusca has placed a malicious payload in %WINDIR%\SYSTEM32\oci.dll so it would be sideloaded by the MSDTC service.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Earth Lusca used the command move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.1
enterprise T1112 Modify Registry Earth Lusca modified the registry using the command reg add “HKEY_CURRENT_USER\Environment” /v UserInitMprLogonScript /t REG_SZ /d “[file path]” for persistence.1
enterprise T1027 Obfuscated Files or Information Earth Lusca used Base64 to encode strings.1
enterprise T1027.003 Steganography Earth Lusca has used steganography to hide shellcode in a BMP image file.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware Earth Lusca has acquired and used a variety of malware, including Cobalt Strike.1
enterprise T1588.002 Tool Earth Lusca has acquired and used a variety of open source tools.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Earth Lusca has used ProcDump to obtain the hashes of credentials by dumping the memory of the LSASS process.1
enterprise T1003.006 DCSync Earth Lusca has used a DCSync command with Mimikatz to retrieve credentials from an exploited controller.1
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link Earth Lusca has sent spearphishing emails to potential targets that contained a malicious link.1
enterprise T1057 Process Discovery Earth Lusca has used Tasklist to obtain information from a compromised host.1
enterprise T1090 Proxy Earth Lusca adopted Cloudflare as a proxy for compromised servers.1
enterprise T1018 Remote System Discovery Earth Lusca used the command powershell “Get-EventLog -LogName security -Newest 500
property * findstr “Address”” to find the network information of successfully logged-in accounts to discovery addresses of other machines. Earth Lusca has also used multiple scanning tools to discover other machines within the same compromised network.1
enterprise T1053 Scheduled Task/Job Earth Lusca used the command schtasks /Create /SC ONLOgon /TN WindowsUpdateCheck /TR “[file path]” /ru system for persistence.1
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware Earth Lusca has staged malware and malicious files on compromised web servers, GitHub, and Google Drive.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta Earth Lusca has used mshta.exe to load an HTA script within a malicious .LNK file.1
enterprise T1016 System Network Configuration Discovery Earth Lusca used the command ipconfig to obtain information about network configurations.1
enterprise T1049 System Network Connections Discovery Earth Lusca employed a PowerShell script called RDPConnectionParser to read and filter the Windows event log “Microsoft-Windows-TerminalServices-RDPClient/Operational”
(Event ID 1024) to obtain network information from RDP connections. Earth Lusca has also used netstat from a compromised system to obtain network connection information.1
enterprise T1033 System Owner/User Discovery Earth Lusca collected information on user accounts via the whoami command.1
enterprise T1007 System Service Discovery Earth Lusca has used Tasklist to obtain information from a compromised host.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Earth Lusca has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader.1
enterprise T1204.002 Malicious File Earth Lusca required users to click on a malicious file for the loader to activate.1
enterprise T1047 Windows Management Instrumentation Earth Lusca used a VBA script to execute WMI.1

Software

ID Name References Techniques
S0160 certutil 1 Archive via Utility:Archive Collected Data Deobfuscate/Decode Files or Information Ingress Tool Transfer Install Root Certificate:Subvert Trust Controls
S0154 Cobalt Strike 1 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0002 Mimikatz 1 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0590 NBTscan 1 Network Service Discovery Network Sniffing Remote System Discovery System Network Configuration Discovery System Owner/User Discovery
S0359 Nltest 1 Domain Trust Discovery Remote System Discovery System Network Configuration Discovery
S0194 PowerSploit 1 Access Token Manipulation Local Account:Account Discovery Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery DLL Search Order Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Keylogging:Input Capture Indicator Removal from Tools:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0596 ShadowPad 1 File Transfer Protocols:Application Layer Protocol DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Non-Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Domain Generation Algorithms:Dynamic Resolution Indicator Removal Ingress Tool Transfer Modify Registry Non-Application Layer Protocol Fileless Storage:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Process Injection Dynamic-link Library Injection:Process Injection Scheduled Transfer System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery
S0057 Tasklist 1 Process Discovery Security Software Discovery:Software Discovery System Service Discovery
S0430 Winnti for Linux 1 Web Protocols:Application Layer Protocol Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Non-Application Layer Protocol Obfuscated Files or Information Rootkit Traffic Signaling

References

  1. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  2. INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.