Threat Research

Earth Preta Spear-Phishing Governments Worldwide

Securonix

Earth Preta spear-phishing campaigns targeted governments, academia, and research sectors worldwide, distributing TONEINS, TONESHELL, and PUBLOAD through Google Drive links. The activity is attributed to Earth Preta (Mustang Panda/Bronze President), with new installers and decoy documents observed.
#EarthPreta #MustangPanda #BronzePresident #TONEINS #TONESHELL #PUBLOAD

Keypoints

  • Global spear-phishing campaigns target government, academic, foundations, and research sectors, beginning around March 2022.
  • Attackers abuse fake Google accounts and Google Drive links to distribute archives containing TONEINS, TONESHELL, and PUBLOAD.
  • Decoy documents are in Burmese and tied to Myanmar-related topics, with other decoys covering regional interests and pornography.
  • Three main delivery types are described: DLL sideloading (Type A), shortcut (.lnk) based (Type B), and fake file extensions with multi-file archives (Type C).
  • PUBLOAD acts as a stager with RC4/C2 protocol, TONEINS installs TONESHELL, and both employ obfuscation and anti-analysis techniques.
  • TONESHELL shows evolving variants with different C2 protocols (TCP and HTTP), anti-analysis checks, and extensive in-memory shellcode decoding.

MITRE Techniques

  • [T1566.002] Phishing – Spearphishing Link – The actors used Google Drive links embedded in spear-phishing emails to lure victims into downloading malicious archives. “Google Drive links embedded in them.”
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – The archives contain a legitimate executable used for DLL sideloading to load a malicious DLL. “Legitimate executable for DLL sideloading” and “libcef.dll” as the malicious DLL.
  • [T1023] Shortcut Modification – The threat actor utilizes the .lnk file to install the malicious files by decompressing the archive file with WinRAR. “The threat actor utilizes the .lnk file to install the malicious files by decompressing the archive file with WinRAR.”
  • [T1053.005] Scheduled Task – Persistence via scheduled tasks (schtasks). “schtasks.exe /F /Create /TN Microsoft_Licensing /sc minute /MO 1 /TR …”
  • [T1547.001] Registry Run Keys/Startup Folder – Adding a registry run key for persistence. “Adding a registry run key”
  • [T1562.001] Impair Defenses – Anti-Analysis: API with callback to bypass antivirus monitoring. “APIs can accept an argument of a callback function” and “anti-analysis”
  • [T1497.001] Virtualization/Sandbox Evasion – Anti-sandbox checks via GetForegroundWindow and delayed execution. “ForegroundWindow check” and “delayed execution technique”
  • [T1027] Obfuscated/Compressed Files and Information – Code obfuscation inside TONEINS/TONESHELL. “obfuscated” and “junk codes”
  • [T1106] Native API – Anti-analysis: API usage with callback to trigger shellcode. “APIs … accept an argument of a callback function”
  • [T1082] System Information Discovery – Initial beacon collects system details (computer name, username, product name, OS, etc.). “Current process ID”, “Volume serial”, “Username”, “Computer name”, “Product name”, “Operating system bit”, “Processes list”
  • [T1057] Process Discovery – The malware gathers process-related data (current process ID, process list).
  • [T1095] Non-Application Layer Protocol – C2 over raw TCP with RC4 encryption and a magic header (17 03 03). “The stager uses a specific byte sequence as its packet’s header”

Indicators of Compromise

  • [IP Address] C2 server – 98.142.251.29 (one of the C2 servers associated with PUBLOAD/TONESHELL activity)
  • [SHA256] 521662079c1473adb59f2d7134c8c1d76841f2a0f9b9e6e181aa54df25715a09 – dumped TONESHELL/TONEINS shellcode sample
  • [SHA256] 09fc8bf9e2980ebec1977a8023e8a2940e6adb5004f48d07ad34b71ebf35b877 – C&C-related archive/file (DESCRIBED in attribution context)
  • [File name] Increasingly confident US is baiting China.exe – legitimate executable renamed for DLL sideloading
  • [File] libcef.dll – malicious DLL used for DLL sideloading (Pegged as Trojan.Win32.PUBLOAD)
  • [File] exporting AdobeLicensing.exe – legitimate executable repurposed for persistence
  • [Archive] 220509 – (Cabinet Meeting 2022).zip – lure archive containing decoy and payloads
  • [Archive] Desktop.rar containing New Word Document.lnk, putty.exe, CefBrowser.dll – Type B archive
  • [URL] https://drive.google.com/uc?id=gdrive_file_id&export=download – Google Drive direct download link used as lure
  • [URL] https://drive.google.com/file/d/gdrive_file_id/view – Google Drive viewer link for reconnaissance

Read more: https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint