Threat Intelligence Feed

G1006 - Earth Lusca

G1006 – Earth Lusca is a threat actor from China that targets organization globally via campaign, that uses traditional social engineering techniques such as spear phishing and watering holes. The group’s primary motivation seems to be cyberespionage: the list of its victims includes high value targets such as government and educational institutions, religious movements, pro-democracy and human rights organizations in Hong Kong, Covid-19 research organizations, and the media, among others. However, the threat actor also seems to be financially motivated, as it also took aim at gambling and cryptocurrency companies.

In addition to spear phishing emails, Earth Lusca also made use of watering hole websites they either compromised websites of their targets or set up fake web pages copied from legitimate websites and then injected malicious JavaScript code inside them. These links to these websites are then sent to their victims.

Earth Lusca employs several malware and other hacking tools in its arsenal. A common theme we’ve seen in its attack vectors is the use of CobaltStrike loaders — and indeed, Cobalt Strike is one of the group’s preferred tools due to its wide range of post-exploitation capabilities. In this case, the Cobalt Strike shellcode that is dropped into the target system is encoded via XOR along with a corresponding key.

Evidence points to Earth Lusca being a highly-skilled and dangerous threat actor mainly motivated by cyberespionage and financial gain. However, the group still primarily relies on tried-and-true techniques to entrap a target. While this has its advantages (the techniques have already proven to be effective), it also means that security best practices, such as avoiding clicking on suspicious email/website links and updating important public-facing applications, can minimize the impact — or even stop — an Earth Lusca attack.