Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

Technical analysis of China-linked Earth Preta APT’s infection chain

China-linked Earth Preta cyberespionage group has been observed adopting new techniques to bypass security solutions. Trend Micro researchers reported that the China-linked Earth Preta group (aka Mustang Panda) is actively changing its tools, tactics, and procedures (TTPs) to bypass security solutions. Earth Preta, also known as “RedDelta” or “Bronze President,” has been active since at least […]

Earth Preta group

China-linked Earth Preta cyberespionage group has been observed adopting new techniques to bypass security solutions.

Trend Micro researchers reported that the China-linked Earth Preta group (aka Mustang Panda) is actively changing its tools, tactics, and procedures (TTPs) to bypass security solutions.

Earth Preta, also known as “RedDelta” or “Bronze President,” has been active since at least 2012, it targeted American and European entities such as government organizations, think tanks, NGOs, and even Catholic organizations at the Vatican. Past campaigns were focused on Asian countries, including Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar.

In recent campaigns, threat actors used European Union reports on the conflict in Ukraine and Ukrainian government reports as lures. Upon opening the reports, the infection process starts leading to the deployment of malware on the victim’s system.

In a recent campaign analyzed by Trend Micro, the threat actors used spear-phishing emails and Google Drive links as attack vectors.

A deep investigation into the campaign revealed several undisclosed malware and interesting data exfiltration tools used by the group.

The researchers categorized the infection chain into six stages: arrival vectors, discovery, privilege escalation, lateral movement, command and control (C&C) and exfiltration, respectively.

Earth Preta group
The full infection chain (Trend Micro)

The attackers used DLL sideloading, shortcut links, and fake file extensions in the first part of the attacks, the researchers noticed that starting in October and November 2022, the group began changing their TTPs to deploy the TONEINS, TONESHELL, and PUBLOAD malware.

TONEINS and TONESHELL malware was downloaded from the Google Drive link embedded in the body of spear-phishing messages. To bypass email-scanning services, the threat actors started embedding the Google Drive link in a lure document. The link points to a password-protected archive, the document also includes the password.

“Based on our observations, Earth Preta tends to hide malicious payloads in fake files, disguising them as legitimate ones — a technique that has been proven effective for avoiding detection. As for privilege escalation, the threat actors tend to reuse codes copied from open-source repositories.” states the report published by Trend Micro. “Meanwhile, they developed customized toolsets designed to collect confidential documents in the exfiltration stage.”

Once gained a foothold in the target network, the attackers start the discovery and privileges escalation phases. In the privilege escalation phase the threat actors used several tools for UAC bypass in Windows 10 such as ABPASS and CCPASS.

During the lateral movement phase, Earth Preta used malware such as HIUPAN and ACNSHELL being used to install themselves to removable disks and create a reverse shell.

The group used several tools and commands for the C2 stage, such as certutil.exe to download the legitimate WinRAR binary and PowerShell to download multiple malicious archives from a remote server (103[.]159[.]132[.]181).

The group also used the CLEXEC backdoor, the COOLCLIENT and TROCLIENT implants, and the PlugX malware.

The report details the execution flow for each of the above malware.

The threat actors also used highly customized tools for exfiltration, such as NUPAKAGE and ZPAKAGE, both used to steal Office documents.

“Earth Preta is a capable and organized threat actor that is continuously honing its TTPs, strengthening its development capabilities, and building a versatile arsenal of tools and malware,” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Earth Preta)