Skip to content

G1014 LuminousMoth

LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October 2020. LuminousMoth has targeted high-profile organizations, including government entities, in Myanmar, the Philippines, Thailand, and other parts of Southeast Asia. Some security researchers have concluded there is a connection between LuminousMoth and Mustang Panda based on similar targeting and TTPs, as well as network infrastructure overlaps.21

Item Value
ID G1014
Associated Names
Version 1.0
Created 23 February 2023
Last Modified 17 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1557 Adversary-in-the-Middle -
enterprise T1557.002 ARP Cache Poisoning LuminousMoth has used ARP spoofing to redirect a compromised machine to an actor-controlled website.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols LuminousMoth has used HTTP for C2.2
enterprise T1560 Archive Collected Data LuminousMoth has manually archived stolen files from victim machines before exfiltration.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder LuminousMoth has used malicious DLLs that setup persistence in the Registry Key HKCU\Software\Microsoft\Windows\Current Version\Run.21
enterprise T1005 Data from Local System LuminousMoth has collected files and data from compromised machines.21
enterprise T1030 Data Transfer Size Limits LuminousMoth has split archived files into multiple parts to bypass a 5MB limit.1
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware LuminousMoth has used unique malware for information theft and exfiltration.21
enterprise T1041 Exfiltration Over C2 Channel LuminousMoth has used malware that exfiltrates stolen data to its C2 server.2
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage LuminousMoth has exfiltrated data to Google Drive.1
enterprise T1083 File and Directory Discovery LuminousMoth has used malware that scans for files in the Documents, Desktop, and Download folders and in other drives.21
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories LuminousMoth has used malware to store malicious binaries in hidden directories on victim’s USB drives.2
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading LuminousMoth has used legitimate executables such as winword.exe and igfxem.exe to side-load their malware.21
enterprise T1105 Ingress Tool Transfer LuminousMoth has downloaded additional malware and tools onto a compromised host.21
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location LuminousMoth has disguised their exfiltration malware as ZoomVideoApp.exe.2
enterprise T1112 Modify Registry LuminousMoth has used malware that adds Registry keys for persistence.21
enterprise T1588 Obtain Capabilities -
enterprise T1588.001 Malware LuminousMoth has obtained and used malware such as Cobalt Strike.21
enterprise T1588.002 Tool LuminousMoth has obtained an ARP spoofing tool from GitHub.1
enterprise T1588.004 Digital Certificates LuminousMoth has used a valid digital certificate for some of their malware.2
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link LuminousMoth has sent spearphishing emails containing a malicious Dropbox download link.2
enterprise T1091 Replication Through Removable Media LuminousMoth has used malicious DLLs to spread malware to connected removable USB drives on infected machines.21
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task LuminousMoth has created scheduled tasks to establish persistence for their tools.1
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware LuminousMoth has hosted malicious payloads on Dropbox.2
enterprise T1608.004 Drive-by Target LuminousMoth has redirected compromised machines to an actor-controlled webpage through HTML injection.1
enterprise T1608.005 Link Target LuminousMoth has created a link to a Dropbox file that has been used in their spear-phishing operations.2
enterprise T1539 Steal Web Session Cookie LuminousMoth has used an unnamed post-exploitation tool to steal cookies from the Chrome browser.2
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing LuminousMoth has signed their malware with a valid digital signature.2
enterprise T1033 System Owner/User Discovery LuminousMoth has used a malicious DLL to collect the username from compromised hosts.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link LuminousMoth has lured victims into clicking malicious Dropbox download links delivered through spearphishing.2

Software

ID Name References Techniques
S0154 Cobalt Strike 21 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0013 PlugX 21 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Side-Loading:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Query Registry Screen Capture System Network Connections Discovery MSBuild:Trusted Developer Utilities Proxy Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service

References

  1. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. 

  2. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.