Earth Preta Evolves Malware Tactics with Advanced Strategies
The group’s focus has remained within the Asia-Pacific (APAC) region, targeting government entities using worm-based malware and spear-phishing campaigns.
Introduction
Earth Preta, an established Advanced Persistent Threat (APT) group, has evolved its malware arsenal by integrating new tools, malware variants, and advanced strategies in recent campaigns. The group’s focus has remained within the Asia-Pacific (APAC) region, targeting government entities using worm-based malware and spear-phishing campaigns. Recent activity indicates that Earth Preta has deployed an updated version of the worm HIUPAN, which spreads PUBLOAD, along with additional tools such as FDMTP and PTSOCKET for extended control and exfiltration.
Report Overview
The recent campaign showcases Earth Preta’s adoption of an upgraded worm variant, HIUPAN, which delivers PUBLOAD via removable drives. HIUPAN facilitates malware installation through its configuration file and autorun entries, propagating the worm and associated tools across compromised networks. These tools are leveraged to collect system data and map network infrastructure.
Once PUBLOAD is deployed, Earth Preta launches FDMTP, a secondary control tool, and PTSOCKET for data exfiltration. The group’s ability to rapidly deploy these tools has made their attacks highly efficient and targeted, focusing on specific countries and sectors in the APAC region.
HIUPAN Worm:
HIUPAN has a sleep multiplier and file propagation list embedded in its configuration. Once launched, it scans for removable drives and spreads itself by copying files like UsbConfig.exe and u2ec.dll to the root directory of the drive. It also hides these files using registry modifications. PUBLOAD is installed and persists through registry keys and scheduled tasks, launching commands such as hostname and arp to gather system and network information.
FDMTP Tool:
Earth Preta’s new tool, FDMTP, is a downloader that uses the Duplex Message Transport Protocol (DMTP). It employs encrypted network configurations, using Base64 and DES for added security. Once deployed, FDMTPdownloads additional malware from Earth Preta’s infrastructure.
PTSOCKET:
For exfiltration, Earth Preta uses PTSOCKET, which transfers files via multiple threads, providing a faster and more efficient exfiltration method compared to older tools. PTSOCKET uploads files to attacker-controlled servers, leveraging FTP and customized file transfer protocols.
Insights and Analysis
Earth Preta’s evolving tactics, particularly the propagation of HIUPAN via removable drives and the utilization of sophisticated malware variants, present significant risks to APAC government sectors. Their spear-phishing attacks are also highly targeted, often exploiting victims’ trust through digitally signed malware like DOWNBAIT.
The group’s focus on rapid deployment and exfiltration, paired with its ability to bypass common security measures, demonstrates a clear threat to critical infrastructure. Furthermore, the reliance on cloud services for data exfiltration highlights a growing trend in utilizing legitimate services for malicious purposes.
Organizations, particularly in the APAC region, should take immediate action to bolster their defenses. Recommended measures include:
- Endpoint Protection: Ensure up-to-date endpoint detection and response (EDR) solutions are deployed to detect and mitigate worm-based propagation.
- Phishing Awareness: Train employees on recognizing phishing attempts, especially spear-phishing emails with attachments like .url files.
- Removable Drive Restrictions: Disable the use of removable drives where possible, or implement strict security policies to limit their use.
- Cloud Monitoring: Closely monitor cloud services for any unusual activity, such as unauthorized access or unexpected data transfers.
Earth Preta continues to innovate its attack strategies, showcasing advanced malware variants and tools designed to evade detection and efficiently exfiltrate data. Their ability to quickly adapt their tactics, including the propagation of worms via removable media and the use of multi-stage downloaders in spear-phishing campaigns, makes them a formidable threat. Organizations in targeted sectors must remain vigilant, employing robust security measures to counter these evolving attacks.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| ee986beeb058ec27d0dad9a0a671bbabaa56057102faf30f63397bdbe7fca81f | SHA256 Hash | FDMTP dropper |
| 3514d2e74b476e1569bbf3311934809c6f8e97df5c9669a5fe475e508886df9f | SHA256 Hash | FDMTP |
| 24a850f15a023f59389bf8fd1c33796cf3a5d8d08f77dda049d1c978a1825dde | SHA256 Hash | Legitimate executable to load PUBLOAD |
| 2e44ebe8d864ae19446d0853c51e471489c0893fc5ae2e042c01c7f232d2a2c2 | SHA256 Hash | PUBLOAD loader |
| a062fafaff556b17a5ccb035c8c7b9d2015722d86a186b6b186a9c63eeb4308a | SHA256 Hash | PUBLOAD shellcode component |
| d1492101eb450f0e9badaea254e5551b49297fa4a98c53c939bb96bafd2151fe | SHA256 Hash | HIUPAN host |
| 586632c8bb5890c760efc21662105e649177deaf2b2c2eef3ede1da088f23a6c | SHA256 Hash | HIUPAN main component |
| 68bec53e4772eee6c13278a471d669b916cdc797c81d128ee103ee90841fa19e | SHA256 Hash | HIUPAN config |
| 71f114842c30e94c95e57ad394969d5766ca28d056dc724c9820717cf03eb0fe | SHA256 Hash | FDMTP |
| 959fd255338558d02c567680625d88f5c48e43827bbb1c408f2d43b01807809a | SHA256 Hash | FDMTP |
| 466684ad5755c9ee6080ff2a01646824c63a90d3e5be923581b89c707267e79f | SHA256 Hash | FDMTP |
| f67ce881d31e7475d3bd70cad8bdc8fe0e8fd5f66b87ede0e49109395f7033aa | SHA256 Hash | FDMTP |
| e2f4b2d71e02b49a2721a88eea7bf7308143ee55d7d8119e5e291eafd4859af5 | SHA256 Hash | FDMTP |
| ea18df47214ac1f96a75b1dffbe510b2855197490bc65f47886b25fc7e8aca15 | SHA256 Hash | FDMTP |
| 533f47bc4997eed0491f58f24d45c7850cb460da252de90635938e095b5fc213 | SHA256 Hash | FDMTP |
| c2bed145cf09022ee6a378dc5e9b3ae49b7c95a6551fa7310a1d997f93f6e2d1 | SHA256 Hash | Legitimate executable to load FDMTP |
| 99071b9df19024480e1b6d7049e6713486418759b7f0191643776bd0ac08172b | SHA256 Hash | FDMTP loader |
| 756b9d6f50bd56adca1fa3d48ff07edf8ee3cc568fb32cbdd892403670343b43 | SHA256 Hash | FDMTP loader |
| d69a4a7aa3144ee7ec35e7c3a3a4220f5a43bc29cc4cfa0f27fef60b4d93de8d | SHA256 Hash | FDMTP loader |
| 107ba73ae05ec6ba6d814665923191f14757015557eeeff16206cc957da29be3 | SHA256 Hash | Legitimate executable to load PUBLOAD |
| 14a9a74298408c65cb387574ffa8827abd257aa2b76f87efbaa1ee46e8763c57 | SHA256 Hash | PUBLOAD |
| 8ebb12d253a4b4c28435b25478abb590e94bdb55b83c55cda6d44c58a03bf9be | SHA256 Hash | PTSOCKET |
| 56cb16589ab852de4900496ef74212c17902867e90253b4d9d7f335ef7d45a7b | SHA256 Hash | FDMTP loader |
| c662f5c851314d952cf3594232a7db5b96cb528716cd71bf38393b647cfd4c82 | SHA256 Hash | FDMTP |
| f452b787e47493e89078e884bf92c61626e6ff4b9bc8eee8ae3728ddc65b7e46 | SHA256 Hash | FDMTP |
| fd68b49acf9234a8592497ef1d675acd57c6a67c6975313772d12c837f3264d1 | SHA256 Hash | FDMTP |
| 565fa2992212c89bdec334c0fd318b3fd2c91707431fd8186016f11645925892 | SHA256 Hash | FDMTP |
| df0e16a29c9dffe2ff7b3d4c957af7459fd7e6fa8026d067202912b997773749 | SHA256 Hash | FDMTP |
| 3278c06b5510edabb3318aa1892eb7e426e97946b86eea925965a46ba1725ebd | SHA256 Hash | FDMTP |
| 3b9ef9701ea2b2c1a89489ed0ed43ffabec9e22b587470899c0d5aca1a1e4302 | SHA256 Hash | DOWNBAIT |
| 9dd62afdb4938962af9ff1623a0aa5aaa9239bcb1c7d6216f5363d14410a3369 | SHA256 Hash | PULLBAIT |
| d8747574251c8b4ab8da4050ba9e1f6e8dbbaa38f496317b23da366e25d3028a | SHA256 Hash | CBROVER |
| 7c520353045a15571061c3f6ae334e5f854d441bab417ebf497f21f5a8bc6925 | SHA256 Hash | CBROVER loader |
| b63bc07202491a4dcd34cc419351edb2f2c395b2671d7acf7bfc88abada344ec | SHA256 Hash | FILESAC |
| 44d2d35ca87bf4292e4586bd08f3fe51d3fff693fed2f9795ff49733338ae8a7 | SHA256 Hash | PLUGX loader |
| afed5635fa6d63b158fc408d5048bf2dafd6da210a98f308c02c94514ae28fc8 | SHA256 Hash | PLUGX loader |
| b37b244595cac817a8f8dba24fbea208205e1d1321651237fe24fdcfac4f8ffc | SHA256 Hash | PLUGX |
| de08f83a5d2421c86573dfb968293c776a830d900af2bc735d2ecd7e77961aaf | SHA256 Hash | PLUGX |
| d32d7e86ed97509289fff89a78895904cf07a82824c053bfaf1bc5de3f3ba791 | SHA256 Hash | PLUGX |
| IPv4 | Description |
|---|---|
| 103[.]15[.]29[.]17 | PUBLOAD C&C |
| 154[.]90[.]32[.]88 | FDMTP C&C |
| 47[.]76[.]87[.]55 | FDMTP C&C |
| 154[.]90[.]32[.]88 | FDMTP C&C |
| 47[.]253[.]106[.]177 | PUBLOAD |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Replication Through Removable Media | T1091 | HIUPAN spreads through removable drives to deliver PUBLOAD. |
| Phishing | Spearphishing Attachment | T1566.001 | Spear-phishing emails deliver malware via attached files. |
| Persistence | Boot or Logon Autostart Execution: Registry Run Keys | T1547.001 | Uses Registry Run keys for persistence. |
| Defense Evasion | Hijack Execution Flow: DLL Side-Loading | T1574.002 | Several malware components are loaded using DLL side-loading. |
| Exfiltration | Exfiltration Over Web Service: Exfiltration to Cloud Storage | T1567.002 | Telemetry suggests potential data exfiltration to cloud services. |
| Command and Control | Application Layer Protocol: Web Protocols | T1071.001 | Malware communicates with C&C using HTTP/HTTPS protocols. |
References
Comments ()