Threat Research

Earth Preta Updated Stealthy Strategies

Securonix

Earth Preta has updated its TTPs across campaigns to bypass security solutions, introducing new tools like TONEINS, TONESHELL, PUBLOAD, and NUPAKAGE. The campaign relies on decoy documents, Google Drive links, and password-protected archives to evade detection and enable data exfiltration.

#EarthPreta #PUBLOAD

Keypoints

  • Earth Preta (aka Mustang Panda) continues to evolve its tools and techniques to bypass security solutions.
  • Arrival vectors have shifted from pure malware archives to lure documents with embedded Google Drive links and password protection.
  • TONEINS, TONESHELL, and PUBLOAD are deployed via decoy documents and XOR-encrypted content to evade scanning.
  • Privilege escalation relies on UAC bypass tools (ABPASS, CCPASS) and registry/protocol abuse (ms-settings, SilentCleanup).
  • Lateral movement includes USB-based spreading (HIUPAN) and Backdoor ACNSHELL with reverse shells.
  • Exfiltration uses multiple channels and custom tools (WinRAR, curl, NUPAKAGE, ZPAKAGE) to squeeze data from victims.
  • Threat intel ties link TaoZongjie, Cobalt Strike usage, and the YanNaingOo0072022 GitHub space to this activity.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – The infection chain begins with a spear-phishing email. “the entire attack begins with a spear-phishing email.”
  • [T1204.001] User Execution: Malicious Link – Google Drive link embedded in a lure document used to trigger payload delivery. “The Google Drive link has now been embedded in a lure document.”
  • [T1574.002] DLL Side-Loading – First-stage legitimate executable for DLL sideloading supporting stage delivery. “First-stage legitimate executable for DLL sideloading”
  • [T1053.005] Scheduled Task – Persistence via scheduled tasks to re-launch payloads. “Scheduled Task/Job: Scheduled Task”
  • [T1547.001] Boot or Logon Autostart: Registry Run Keys / Startup Folder – Autostart persistence via Run Keys. “Registry Run Keys / Startup Folder”
  • [T1068] Exploitation for Privilege Escalation – Privilege elevation through targeted exploits. “Exploitation for Privilege Escalation”
  • [T1134] Access Token Manipulation – Bypass/UAC by manipulating access tokens. “Access Token Manipulation”
  • [T1091] Lateral Movement: Replication Through Removable Media – Spreading via USB/Hubs and removable drives. “spread themselves over removable drives”
  • [T1095] Non-Application Layer Protocol – C2 communication over MQTT (IoT-like channel) or other non-HTTP protocols. “MQTT protocol”
  • [T1048] Exfiltration – Exfiltration of data over alternative protocols or via custom formats. “Exfiltration Over Alternative Protocol”
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – Payloads encrypted and decrypted during exfil/download. “RC4 key”
  • [T1104] Multi-Stage Channels – Use of multi-stage payloads and chained communications in C2/exfil flows. “Multi-Stage Channels”

Indicators of Compromise

  • [IP] 103.159.132.91, 103.159.132.181 – C2/download servers involved in the PUBLOAD/PowerShell retrievals
  • [Domain] closed.theworkpc.com – C2 domain referenced during PUBLOAD/C2 activity
  • [Domain] theworkpc.com – related domain activity observed in the same campaign context
  • [File name] Letter Head.docx – Decoy document containing a Google Drive link
  • [File name] List of terrorist personnel at the border.rar – Password-protected archive used as arrival vector
  • [File name] libcef.dll – First-stage DLL-loaded payload component in the TONEINS flow
  • [File name] ~List of terrorist personnel at the border.docx – XOR-encrypted decoy file
  • [Hash] 8b98e8669d1ba49b66c07199638ae6012adf7d5d93c1ca3bf31d6329506da58a – TONEINS sample hash
  • [Hash] 7436f75911561434153d899100916d3888500b1737ca6036e41e0f65a8a68707 – TONEINS sample hash
  • [Hash] 634977a24e8fb2e3e82a0cddfe8d007375d387415eb131cce74ca03e0e93565f – NUPAKAGE sample hash

Read more: https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html