An elusive threat actor called Land Lusca has been observed hitting organizations around the world in what appears to be both an espionage campaign and an attempt to reap monetary profit.

“His list of victims includes high-value targets such as government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, COVID-19 research organizations and the media, among others,” the Trend Micro researchers said. in a new report. “However, the threat actor also appears to have financial motivations, as he was also targeting gambling and cryptocurrency companies.

The cybersecurity firm attributed the group to the larger China-based Winnti Group, which refers to a number of related groups rather than a single separate entity that focuses on intelligence gathering and intellectual property theft.

Earth Lusca’s intrusion pathways are facilitated by spear-phishing and watering holes attacks, while exploiting vulnerabilities in public-facing applications, such as Microsoft Exchange ProxyShell and Oracle GlassFish Server exploits, as a vector of attack.

Chains of infection lead to the deployment of Cobalt Strike, alongside a variety of additional malware such as Doraemon, ShadowPad, Winnti, FunnySwitch, and web shells like AntSword and Behinder.

Cobalt Strike is a comprehensive penetration suite that originated as a legitimate remote access tool, developed for red teams to use in penetration testing. However, in recent years it has become one of the favorite tools in a threat actor’s arsenal and the primary means of turning a foothold into a convenient intrusion.

Interestingly, while the attacks also involve the installation of cryptocurrency miners on infected hosts, the researchers pointed out that “revenue from mining activities appears low”.

Telemetry data collected by Trend Micro reveals that Earth Lusca staged attacks against entities that may be of strategic interest to the Chinese government, including:

• Game companies in mainland China
• Government institutions in Taiwan, Thailand, Philippines, Vietnam, United Arab Emirates, Mongolia and Nigeria
• Educational institutions in Taiwan, Hong Kong, Japan and France
• News media in Taiwan, Hong Kong, Australia, Germany and France
• Political organizations and movements advocating for democracy and human rights in Hong Kong
• COVID-19 Research Organizations in the United States
• Telecom companies in Nepal
• Religious movements banned in mainland China, and
• Various Cryptocurrency Trading Platforms

“Evidence indicates that Earth Lusca is a highly skilled and dangerous actor primarily motivated by cyber espionage and financial gain. However, the group still relies primarily on proven techniques to entrap a target,” the researchers said.

“While this has its benefits (the techniques have already proven effective), it also means that best security practices, such as avoiding clicking on suspicious email/website links and updating important public-facing applications, can minimize the impact – or even stop – an attack from Earth Lusca.”