[MART] - Daily Diary #306 - LuminousMoth impersonating Zoom app to avoid detection

CTAS-MAT ctas-mat at appgate.com
Fri Jul 16 22:07:39 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

07/16/2021 - Diary entry #306

This week a new campaign from the Chinese APT group known as LuminousMoth was disclosed using fake Zoom apps to spy on South East Asian high-profile targets.

The infection chain starts with a spear phishing email campaign, containing a URL to download a RAR archive from Dropbox. The RAR file contains two legitimates executables and two malicious DLLs that are loaded in the process memory through a technique known as side-loading (covered in our Daily Diary #47).

This threat has the capability to spread itself to other devices through USB drives following by a signed fake Zoom software. The malware impersonating Zoom is used to exfiltrate data from the infected systems as a post exploitation tool. After collecting the data, the malware sends the files as RAR archives to its C2 server.

Also, the malware can deploy a tool to steal cookies from the Chrome Browser. The attackers can use those to impersonate social media and e-mail sessions of the targets to spread their malware to other contacts.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210716/e9080fbb/attachment.html>

More information about the MART mailing list