SYMBOLCOMMON_NAMEaka. SYNONYMS

Lucky Cat  (Back to overview)

aka: TA413, White Dev 9

A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an intelligent attacker does not need to be particularly technically skilled in order to steal the information they are after. The attack begins, as is often the case, with an email sent to the victim. A malicious document is attached to the email, which, when loaded, activates the malware. The attackers use tailored emails to encourage the victim to open the email. For example, one email sent to an academic claimed to be a call for papers for a conference (CFP). The vast majority of the victims were based in India, with some in Malaysia. The victim industry was mostly military research and also shipping based in the Arabian and South China seas. In some instances the attackers appeared to have a clear goal, whereby specific files were retrieved from certain compromised computers. In other cases, the attackers used more of a ‘shotgun’ like approach, copying every file from a computer. Military technologies were obviously the focus of one particular attack with what appeared to be source code stolen. 45 different attacker IP addresses were observed. Out of those, 43 were within the same IP address range based in Sichuan province, China. The remaining two were based in South Korea. The pattern of attacker connections implies that the IP addresses are being used as a VPN, probably in an attempt to render the attackers anonymous.ænThe attacks have been active from at least April 2011 up to February 2012. The attackers are intelligent and focused, employing the minimum amount of work necessary for the maximum gain. They do not use zero day exploits or complicated threats, instead they rely on effective social engineering and lax security measures on the part of the victims.


Associated Families
apk.luckycat win.exilerat win.lowzero win.sepulcher

References
2022-09-22Recorded FutureInsikt Group®
@techreport{group:20220922:chinese:9349a24, author = {Insikt Group®}, title = {{Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets}}, date = {2022-09-22}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2022-0922.pdf}, language = {English}, urldate = {2022-09-26} } Chinese State-Sponsored Group TA413 Adopts New Capabilities in Pursuit of Tibetan Targets
8.t Dropper LOWZERO
2021-02-25ProofpointMichael Raggi, Proofpoint Threat Research Team
@online{raggi:20210225:ta413:400254c, author = {Michael Raggi and Proofpoint Threat Research Team}, title = {{TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations}}, date = {2021-02-25}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global}, language = {English}, urldate = {2021-02-25} } TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations
scanbox Sepulcher Lucky Cat
2020-09-02ProofpointProofpoint
@online{proofpoint:20200902:chinese:823d99c, author = {Proofpoint}, title = {{Chinese APT TA413 Resumes Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign Delivering Sepulcher Malware Targeting Europe}}, date = {2020-09-02}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic}, language = {English}, urldate = {2020-09-02} } Chinese APT TA413 Resumes Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign Delivering Sepulcher Malware Targeting Europe
Sepulcher Lucky Cat
2019-02-04CiscoWarren Mercer, Paul Rascagnères, Jaeson Schultz
@online{mercer:20190204:exilerat:1f7c57c, author = {Warren Mercer and Paul Rascagnères and Jaeson Schultz}, title = {{ExileRAT shares C2 with LuckyCat, targets Tibet}}, date = {2019-02-04}, organization = {Cisco}, url = {https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html}, language = {English}, urldate = {2020-01-07} } ExileRAT shares C2 with LuckyCat, targets Tibet
LuckyCat Exile RAT
2012-03SymantecSymantec
@techreport{symantec:201203:luckycat:ddeba84, author = {Symantec}, title = {{The Luckycat Hackers}}, date = {2012-03}, institution = {Symantec}, url = {https://vx-underground.org/papers/luckycat-hackers-12-en.pdf}, language = {English}, urldate = {2020-04-21} } The Luckycat Hackers
Lucky Cat
2012Trend MicroForward-Looking Threat Research Team
@techreport{team:2012:inside:f112987, author = {Forward-Looking Threat Research Team}, title = {{Inside an APT Campaign with Multiple Targets in India and Japan}}, date = {2012}, institution = {Trend Micro}, url = {https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf}, language = {English}, urldate = {2020-01-08} } Inside an APT Campaign with Multiple Targets in India and Japan
Lucky Cat
2012SymantecVarious
@techreport{various:2012:luckycat:4901720, author = {Various}, title = {{The Luckycat Hackers}}, date = {2012}, institution = {Symantec}, url = {https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_luckycat_hackers.pdf}, language = {English}, urldate = {2020-01-08} } The Luckycat Hackers
Lucky Cat

Credits: MISP Project