Kaspersky Identifies APT Posing as Zoom Software

Kaspersky Labs identified “LuminousMoth,” a potentially malicious, advanced persistent threat known to pose as Zoom collaboration software. This malware, which has been detected in “high volumes” Is related to an active campaign that Kaspersky first observed in Asia in late 2020.

Initially, it was believed to be intentionally planted on corporate servers exclusively via USB drive. Kaspersky, however, indicated that it has yet to determine whether attacks are generated by “rapid replication” or by an “unknown infection vector” such as supply chain attack.

Kaspersky noted that LuminousMoth has been observed as a forged version of Zoom that allows attackers to “exfiltrate files from the compromised systems.” Infection is currently believed to spread via spear-phishing e-mail with a fraudulent Dropbox download link that contains two malicious DLL libraries.

LuminousMoth represents an activity cluster affiliated to a Chinese-speaking actor, with multiple overlaps with the “HoneyMyte” threat that conducted large-scale attacks against target perimeters. The APT may also hint at an additional trend toward re-tooling and producing new and unknown malware implants to “obscure any ties to their former activities” and “blur their attribution to known groups.”

Additional information comes via Kaspersky Labs’ SecureList.