February 26, 2024 at 01:39AM
Earth Lusca, a China-linked threat actor, launched a campaign targeting Taiwan before the national elections, using geopolitical relations as a lure to infect selected targets. The attacks involved spear phishing and a multi-stage infection chain, ultimately deploying a stageless Cobalt Strike payload. There are significant overlaps between the tools used by Earth Lusca and a Chinese company called I-Soon, indicating a potential connection between the two entities. The attack campaign was active between December 2023 and January 2024, and Earth Lusca targeted a Taiwan-based private academic think tank. It is advised for organizations to remain vigilant against such sophisticated threat actors.
From the provided meeting notes, here are the key takeaways:
– Earth Lusca, a threat actor group linked to China, utilized a campaign that leveraged Chinese-Taiwanese relations to infect selected targets prior to the Taiwanese national elections.
– The campaign featured spear phishing, employing a file named “China’s gray zone warfare against Taiwan.7z” as the initial infection file sent via email.
– The attack chain involved several stages, including the use of obfuscated JavaScript code, decoy files, and a stageless Cobalt Strike payload.
– Similar attacks were observed with different file names, decoy names, and C&C servers.
– The campaign was active between December 2023 and January 2024, targeting a Taiwan-based private academic think tank dedicated to the study of international political and economic situations.
– Significant overlap was found between the activities of Earth Lusca and a Chinese company called I-Soon, suggesting a connection between the two.
– The conclusion emphasizes the importance of remaining vigilant against APT groups, especially in the context of cyberespionage, and advises individuals and organizations to follow security best practices to minimize the risk of falling victim to such attacks.
Additionally, the meeting notes include a subset of MITRE ATT&CK techniques used in the campaign, along with indicators of compromise (IOCs) listed separately.
Please let me know if you need further analysis or if there are specific actions to be taken based on this information.