Dark Web Spotlight: LuminousMoth’s Fake Zoom App

A new advanced threat actor (APT), LuminousMoth, is on the scene using fake Zoom apps to infect systems in South East Asia.  This China-linked threat actor uses a two-stage attack: first, a mass phishing push; second, a more precise malware infection to exfiltrate data disguised as a Zoom app.  Its current campaign started in October of 2020 focused on Myanmar and now the Philippines.  LuminousMoth’s tactics are a unique mix. The first section, mass phishing, is an unsubtle technique typically avoided as not to arouse suspicions. The second stage involves having a user download a fake Zoom application that houses malware. This malware spreads by copying itself to removable drives connected to the system. LuminousMoth began targeting important organizations in Myanmar. About 100 victims have been identified. In the Philippines, nearly 1,400 targeted victims have been found. Targets included Myanmar’s Ministry of Transport and Communications and the country’s Development Assistance Coordination Unit of the Foreign Economic Relations Department.  Given the quickly spreading nature of this malware, there are theories that other vectors are in play, namely watering-hole websites or a supply chain attack. Supply chain attacks are gaining steam and represent a growing threat. CybelAngel third-party risk management services can help protect your company from such supply chain risks.