A recent campaign run by earth preta shows that nation-state groups aligned with China are becoming increasingly adept at circumventing security solutions.
This threat actor has been active since at least 2012 and has been tracked by the broader cybersecurity community, including Bronze President, HoneyMyte, Mustang Panda, RedDelta, and Red Lich.
The attack chain launched by this group begins with spear phishing emails and deploys various tools for backdoor access, command and control (C2), and data exfiltration.
These messages contained malicious lure archives distributed via Dropbox or Google Drive links, using DLL sideloading, LNK shortcut files, and fake file extensions as arrival vectors. , gain a foothold and drop backdoors such as TONEINS, TONESHELL, PUBLOAD, MQsTTang (aka QMAGENT).
A similar infection chain has been observed using Google Drive links Delivering Cobalt Strike April 2021 at the earliest.
“Earth Preta tends to hide its malicious payloads in fake files and disguise them as legitimate, a technique that has proven effective in evading detection.” Trend Micro said in a new analysis published Thursday.
First discovered late last year, this entry point method has since been circumvented by e-mail gateway solutions by embedding a download link to the archive in another decoy document and password-protecting the file. received a fine adjustment.
“Files can be extracted internally via the password provided in the document,” the researchers said. “By using this technique, malicious actors behind attacks can successfully evade scanning her services.”
Following initial access to the victim’s environment, an account discovery and privilege escalation phase occurred, Mustang Panda leveraged custom tools such as ABPASS and CCPASS to bypass Windows 10’s User Account Control (UAC). Avoid.
In addition, threat actors deploy malware such as ‘USB Driver.exe’ (HIUPAN or MISTCLOAK) and ‘rzlog4cpp.dll’ (ACNSHELL or BLUEHAZE) to install themselves on removable disks for lateral movement. It has been seen to create a reverse shell. Move over the network.
Discover the hidden dangers of third-party SaaS apps
Are you aware of the risks associated with third-party app access to your company’s SaaS apps? Join our webinar to learn about the types of permissions granted and how to minimize the risks.
reserve a seat
Other deployed utilities include CLEXEC, a backdoor that can execute commands and clear event logs. COOLCLIENT and TROCLIENT are implants designed to record keystrokes, read and delete files. and plug X.
“Apart from well-known and legitimate tools, threat actors have also created highly customized tools used to exfiltrate information,” said the researchers. This he consists of NUPAKAGE and ZPAKAGE, both of which have the ability to collect Microsoft Office files.
The findings once again highlight the increasing tempo of Chinese cyber espionage attackers and their consistent investment in evolving their cyber weapons to evade detection. .
“Earth Preta is a capable and organized attacker, continuously refining its TTP, enhancing its development capabilities, and building an arsenal of tools and malware,” concludes the researchers. .
