The Earth Preta, also known as Mustang Panda, Bronze President, RedDelta, and RedLich, is a refined Chinese APT group that has been happening since 2012. They are understood for targeting government commodities, academic organizations, foundations, and analysis sectors globally. However, the focus of this group is on the Asia-Pacific region. Trend Micro investigators just found that Earth Preta cyberpunks added new devices to their arsenal.

Earth Preta Cyberpunks

Earth Preta APT group has developed its cyberattack method, as it’s been observed by investigators that they are now employing a variant of the HUMAN worm to disseminate PUBLOAD malware via removable drives. This represents a significant change from their last spear-phishing tactics. PUBLOAD serves as the direct control tool, performing different duties like data gathering using RAR and exfiltration via cURL to FTP sites. 

The group has presented more tools like FDMTP, it’s a malware downloader that is founded on TouchSocket over DMTP, and this acts as a secondary control tool. While the PTSOCKET offers an alternative exfiltration method. HIUPAN installs itself and PUBLOAD in the C:ProgramDataIntel_ directory, which helps in making autorun registry entries for persistence.

The PUBLOAD is established in C:ProgramDataCocCocBrowser, and this performs network management using system controls like ‘ipconfig’, ‘netstat’, and ‘systeminfo’. But this also delivers additional tools to compromised systems. The criticizers focus on national commodities in the region and target the files with the following extensions:-

• .doc
• .docx
• .xls
• .xlsx
• .pdf
• .ppt
• .pptx

This multi-stage attack shows the advanced culture in malware deployment and data theft methods, as read in the Trend Micro news. Their movement starts with a spear-phishing email including a .url attachment, which triggers a multi-stage malware deployment process. 

First, a marked downloader tool is conducted which is dubbed “DOWNBAIT.” It uses multi-layered XOR encryption and downloads a decoy document and PULL BAIT which is a shellcode component. PULLBAIT then downloads and manages CBROVER by utilizing DLL side-loading. CBROVER is a first-stage backdoor that deploys PLUGX, a more refined backdoor. 

PLUGX comes in two phases, the second being rescued by “RC4 encryption” and “Data Protection API (DPAPI).” For data gathering, the threat actors use either a RAR command-line tool or FILESAC, which is a revised version of “FileSearchAndCompress.” All these tools target exact file types and date ranges. The collected data is exfiltrated using Microsoft’s cloud services (OneDrive) and Graph API. 

The attack infrastructure contains a WebDAV server at “16.162.188.93,” which hosts the malware and decoy documents. This movement represents the evolving tactics of Earth Preta in fast-paced operations and refined evasion strategies, which pose a substantial hazard to different sectors.