Earth Preta's recent initiative suggests that Chinese state-affiliated groups are becoming more skilled in evading security measures.
The cybersecurity community has been monitoring a threat actor since 2012, known by various names such as Bronze President, HoneyMyte, Mustang Panda, RedDelta, and Red Lich.
The group initiates their attack sequences by sending out deceptive emails to gain access to a variety of tools that allow them to remotely control, communicate and extract data from the targeted systems.
These harmful messages contain deceptive files that are shared using links from Dropbox or Google Drive. The files use DLL side-loading and LNK shortcuts, along with false file extensions, to infiltrate devices and install backdoors like TONEINS, TONESHELL, PUBLOAD, and MQsTTang (also known as QMAGENT).
As of April 2021, there have been instances where Cobalt Strike has been delivered through Google Drive links in comparable infection chains.
According to a recent analysis released on Thursday by Trend Micro, Earth Preta employs a successful method of concealing harmful payloads within phony files that appear authentic, thus evading detection.
The method of entry that was initially identified towards the end of last year has been changed a bit since then. Now, the download link to the file is hidden in another document meant to distract and mislead, and the file itself is password-protected to try and avoid being caught by email filters.
According to the researchers, if you use the password provided in the document, you can extract the files. This bypasses scanning services and allows the attacker to carry out their malicious actions.
After infiltrating the victim's system, Mustang Panda proceeds with stages of identifying accounts and increasing privileges. They accomplish this by using specialized tools such as ABPASS and CCPASS, which help them bypass User Account Control (UAC) in Windows 10.
Moreover, it has been noted that the malicious individual is using USB Driver.exe (HIUPAN or MISTCLOAK) and rzlog4cpp.dll (ACNSHELL or BLUEHAZE) malware to establish their presence in detachable storage devices and generate a reverse shell. Their ultimate objective is to navigate through the network.
Additional tools used include CLEXEC, a covert entrance that can carry out tasks and erase log activity; COOLCLIENT and TROCLIENT implanted software meant for capturing keystrokes and accessing files, or deleting them; as well as PlugX.
The researchers observed that in addition to commonly recognized lawful tools, the perpetrators also created specialized tools that are specifically designed for retrieving data. These bespoke tools include NUPAKAGE and ZPAKAGE, both of which have the capability to collect Microsoft Office files.
Once more, the results emphasize that Chinese cyber espionage agents have intensified their operations and are constantly improving their cyber weapons to avoid detection.
According to researchers, Earth Preta is a skilled and well-structured entity that poses a constant danger. They are constantly improving their tactics, techniques, and procedures (TTPs), enhancing their abilities to create advanced features, and accumulating a flexible set of resources such as tools and malware.