Earth Lusca

Overview

Earth Lusca is a suspected China-based cyber espionage group that has been active since at least April 2019. Earth Lusca has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some Earth Lusca operations may be financially motivated. Earth Lusca has used malware commonly used by other Chinese threat groups, including APT41 and the Winnti Group cluster, however security researchers assess Earth Lusca's techniques and infrastructure are separate.

Targets

Covid-19 Research Organizations · Cryptocurrency · Education · Gambling Companies · Government Institutions · Media · Medical · Pro-democracy And Human Rights Political Organizations · Religious Organization · Telecommunications

Regions

Australia · China · France · Germany · Hong Kong · Japan · Mongolia · Nepal · Nigeria · Philippines · Taiwan · Thailand · United Arab Emirates · United States · Vietnam

Capabilities

• Exploitation of public-facing / client applications — ATT&CK T1190
• Custom malware/implant development — ATT&CK: 3 attributed custom malware families

TTPs — 44 techniques across 14 tactics

Tools & malware (9)

Mimikatz · PowerSploit · Tasklist · certutil · Cobalt Strike · Winnti for Linux · Nltest · NBTscan · ShadowPad

Reporting (3)

• RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale — Insikt Group
• How Microsoft names threat actors — Microsoft
• Delving Deep: An Analysis of Earth Lusca’s Operations — Chen, J., et al