HQ/EMEAFind out how we can help your business
An advanced persistent threat group called Earth Preta has deployed a massive spear-phishing campaign that targets several sectors worldwide. According to investigations, the APT group has deployed multiple malware strains such as PUBLOAD, TONESHELL, and TONEINS.
Researchers discovered the threat actors target the academic, research, foundations, and government sectors of Asian Pacific countries like the Philippines, Taiwan, Japan, Myanmar, and Australia.
Since March, this group has been sending spear-phishing messages through fake Google accounts. The emails carry a malware-embedded file through Dropbox links, Google Drive links, or other IP addresses hosting the files.
Moreover, the archive includes legitimate executables and sideloaded DLLs. Researchers also believe that these files are stolen documents from previously targeted organisations. Hence, the owners of Google Drive links and the spear-phishing email senders are the same.
The Earth Preta actors bait email recipients with subject headings regarding critical issues.
Investigations revealed that the Earth Preta actors lure its targets with subject headings about regional affairs and geopolitical discussions. Subsequently, the potential victim is prompted to download the file, which will execute the malware embedded in the emails.
The first discovered payload used by the actors in their spear-phishing campaign is the PUBLOAD malware strain. This malware is a stager that could download the next-stage payload from its command-and-control server. PUBLOAD could also be a diversion since it could distract analysts from spotting the primary infection method.
The second strain is the TONESHELL malware, a shellcode loader, and a standalone backdoor with zero installer feature. The actors obfuscate this malware to slow down the malware analysis. The malware has anti-analysis techniques and anti-sandbox features.
The last malware strain used by Earth Preta is the TONEINS, which works as an installer for the second strain. This previous malware strain could also establish the persistence of the TONESHELL malware.
Earth Preta, also known as Mustang Panda, is notorious for creating loaders that they mix in their present tools like the Cobalt Strike and PlugX. However, their primary attack vector is the stolen documents from their previous campaign, which broadens their attack landscape.
