Listen to this Post
Cybercriminals are constantly evolving their tactics to evade detection and maintain a foothold in compromised systems. Earth Preta, a notorious advanced persistent threat (APT) group, has recently employed a sophisticated strategy to bypass antivirus software and execute persistent attacks on targeted systems. This article highlights the tactics, techniques, and procedures (TTPs) used by Earth Preta in their latest campaign, as discovered by Trend Micro’s Threat Hunting team. By blending legitimate tools with malicious payloads, the group has demonstrated a new level of sophistication in its cyberattacks.
the Earth Preta Cyberattack
Earth Preta, also known as Mustang Panda, has been actively targeting entities in the Asia-Pacific region, with a specific focus on government organizations. Recently, Trend Micro’s Threat Hunting team uncovered a series of attacks using the Microsoft Application Virtualization Injector (MAVInject) and Setup Factory to deliver payloads, bypass antivirus detection, and ensure persistence on infected systems. The attack begins with the detection of an antivirus software, particularly ESET, triggering a payload injection into the waitfor.exe process.
To execute the attack, Earth Preta uses a combination of legitimate tools like Setup Factory and OriginLegacyCLI.exe, alongside malicious components. The malicious files are dropped into a system, and a decoy PDF distracts the victim while the payload is deployed. The malware, a variant of the TONESHELL backdoor, is sideloaded via an Electronic Arts (EA) application, allowing the attacker to establish communication with a command-and-control (C&C) server. This enables data exfiltration and further control over the compromised system.
What Undercode Says:
Earth
One of the key elements of this attack is the use of Setup Factory, a legitimate software installer, to drop and execute the malicious payloads. This tactic makes it harder for security solutions to distinguish between harmful and legitimate files, as Setup Factory is often used in the deployment of trusted software. By taking advantage of this widely-used tool, Earth Preta adds an additional layer of complexity to their attack chain, enabling them to maintain persistence on compromised systems.
The attack itself is multi-faceted, with the dropper malware first placing files into the ProgramData/session directory. These files include both legitimate executables and harmful components. A decoy PDF is then executed to distract the victim, likely while the malware is quietly deployed in the background. This decoy tactic, similar to those used in previous Earth Preta campaigns, is designed to exploit human curiosity and divert attention from the true threat.
The most insidious aspect of this attack is the sideloading of the TONESHELL backdoor via a legitimate EA application (OriginLegacyCLI.exe). By exploiting the EA app, Earth Preta is able to deploy its backdoor without triggering any immediate suspicion from the victim. Once the backdoor is active, it communicates with the C&C server to exfiltrate data, further compromising the victim’s security.
The C&C communication process itself is also designed to be discreet. Earth Preta employs a custom protocol to communicate with its server, sending and receiving data in a way that mimics regular network traffic. By generating a unique victim ID and embedding it in a separate file, the malware ensures that each infected machine can be tracked individually. This method of tracking and controlling multiple compromised systems allows Earth Preta to maintain its operations without being detected.
From an analytical perspective, this attack represents a highly refined version of previous APT campaigns. The use of both legitimate and malicious components highlights the increasing complexity of modern cyberattacks. By integrating trusted software into their attack strategies, APT groups like Earth Preta are able to blend in with normal network operations, making detection significantly more difficult.
Moreover, the fact that the malware can bypass ESET antivirus software demonstrates the advanced nature of Earth Preta’s tactics. The APT group is not only targeting specific antivirus products, but also adjusting its approach based on the presence of security software. The ability to modify the attack based on the environment suggests a high degree of planning and adaptability, characteristics often associated with state-sponsored or highly organized cybercriminal groups.
Looking forward, organizations must evolve their defense strategies to address these increasingly sophisticated techniques. Relying solely on traditional antivirus tools is no longer sufficient to protect against such advanced threats. Security measures should include monitoring for abnormal behavior within legitimate processes, enhanced detection capabilities for evasive tactics like process injection, and a strong focus on identifying phishing attempts and other social engineering methods used in the initial stages of the attack.
Additionally, the use of decoy documents and files as a distraction during an attack underscores the importance of user education. Training employees to recognize phishing emails and suspicious attachments is crucial in reducing the risk of a successful attack. Even when antivirus software fails to detect an infection, human awareness remains one of the most effective defenses against cyberattacks.
In conclusion, Earth Preta’s latest attack campaign reveals the ever-evolving landscape of cyber threats. By utilizing both legitimate tools and sophisticated evasion techniques, the group is able to execute highly targeted, stealthy attacks with devastating consequences. Organizations must remain vigilant and proactive, continuously adapting their defenses to stay one step ahead of these advanced cyber adversaries.
References:
Reported By: https://www.trendmicro.com/en_us/research/25/b/earth-preta-mixes-legitimate-and-malicious-components-to-sidestep-detection.html
https://www.twitter.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
