Trend Micro details Earth Preta APT group that uses spearphishing attacks to target governments worldwide
Researchers from Trend Micro have been monitoring a wave of spearphishing attacks targeting the government, academic, foundations, and research sectors globally. Based on the lure documents observed in the wild, the researchers reveal large-scale cyberespionage activities of advanced persistent threat (APT) group Earth Preta, observed in large-scale attack deployments that began in March.
The researchers also show the infection routines of the malware families they use to infect multiple sectors worldwide, including Toneins, Toneshell and Pubload. After months of tracking, the seemingly wide outbreak of targeted attacks largely covers organizations and verticals worldwide, with a higher concentration in the Asia Pacific region, including but not limited to Myanmar, Australia, the Philippines, Japan and Taiwan. Apart from the government offices with collaborative work in Myanmar, subsequent victims included the education and research industries, among others.
“We analyzed the malware families used in this campaign and attributed the incidents to a notorious advanced persistent threat (APT) group called Earth Preta (also known as Mustang Panda and Bronze President),” the researchers wrote in a recent blog post. Earth Preta is a cyberespionage group known to develop their own loaders in combination with existing tools like PlugX and Cobalt Strike for compromise. Recent research papers show that it is constantly updating its toolsets and indicate that it is further expanding its capabilities.
“Based on our analysis, once the group has infiltrated a targeted victim’s systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions,” the researchers said. “This strategy largely broadens the affected scope in the region involved. For the group’s objectives, the targeted area appears to be the countries in Asia.”
Based on Trend Micro’s monitoring of the threat, the decoy documents are written in Burmese, and the contents are ‘Internal-only’. Most of the topics in the documents are controversial issues between countries and contain words like ‘Secret’ or ‘Confidential.’ These could indicate that the attackers are targeting Myanmar government entities as their first entry point. This could also mean that the attackers have already compromised specific political entities prior to the attack, something that Talos Intelligence had also previously noted.
“The attackers use the stolen documents as decoys to trick the targeted organizations working with Myanmar government offices into downloading and executing the malicious files,” the researchers said. “In addition to decoy topics covering ongoing international events concerning specific organizations, the attackers also lure individuals with subject headings pertaining to pornographic materials.”
Trend Micro said that Earth Preta uses spearphishing emails as its first step for intrusion. “Some of the emails’ subjects and contents discuss geopolitical topics, while others might contain sensational subjects. We observed that all the emails we analyzed had the Google Drive links embedded in them, which points to how users might be tricked into downloading the malicious archives. The file types of the archives include compressed files such as .rar, .zip, and .jar, to name a few. Upon accessing the links, we learned that the archives contain the malware TONEINS, TONESHELL, and PUBLOAD malware families,” they added.
The researchers analyzed the contents of the emails and observed that a Google Drive link is used as a lure for victims. The email’s subject might be empty or might have the same name as the malicious archive. “Rather than add the victims’ addresses to the email’s ‘To’ header, the threat actors used fake emails. Meanwhile, the real victims’ addresses were written in the ‘CC’ header, likely to evade security analysis and slow down investigations. Using open-source intelligence (OSINT) tool GHunt to probe those Gmail addresses in the ‘To’ section, we found these fake accounts with little information in them.” they added.
“Moreover, we observed that some of the senders might be compromised email accounts from a specific organization,” the researchers said. “Victims might be convinced that these mails were sent from trusted partners, increasing the chances that recipients will select the malicious links.”
Some of the decoy documents are linked to organizations related to or working with Myanmar government entities. The first decoy’s file name is Assistance and Recovery(china)[dot]exe, while another decoy [dot]PDF document meaning ‘Embassy of the Republic of Myanmar’ was observed in a compressed file named Assistance and Recovery(china)[dot]rar. Allegedly, this is a document containing the ambassador’s report in rough meeting schedules between the embassies of Myanmar and China, the researchers revealed.
“Another document is related to the Japan Society for the Promotion of Science (JSPS), an initiative that provides researchers opportunities to conduct and undergo research exchanges in Japan,” Trend Micros researchers said. “Notably, the documents in the compressed file attachment(EN)[dot]rar are mostly image files. The malicious DLL and the executable, which are used for the next layer of sideloading, are also included among them. There are also other decoy documents with diverse content themes, including regional affairs and pornography. However, when the victim opens the fake document file in this folder, no corresponding content appears.”
Trend Micro also noted that Earth Preta abused fake Google accounts to distribute the malware using spear-phishing emails, initially stored in an archive file (such as rar/zip/jar) and distributed through Google Drive links. Users are then lured into downloading and triggering the malware to execute Toneins, Toneshell, and Pubload. “PUBLOAD has been previously reported, but we add new technical insights in this entry that tie it to TONEINS and TONESHELL, newly discovered malware families used by the group for its campaigns,” it added.
In addition, the hackers leverage different techniques for evading detection and analysis, like code obfuscation and custom exception handlers, the researchers disclosed. “We also found that the senders of the spear-phishing emails and the owners of Google Drive links are the same. Based on the sample documents that were used for luring the victims, we also believe that the attackers were able to conduct research and, potentially, prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts,” they added.
Trend Micro said that as part of organizational mitigation plans, the company recommended implementing continuous phishing awareness training for partners and employees. “We advise always checking the sender and the subject twice before opening an email, especially with an unidentifiable sender or an unknown subject. We also recommend a multi-layered protection solution is recommended to detect and block threats as far left to the malware infection chain as possible,” it added.
Related
