Earth Preta Spear-Phishing Governments Worldwide

In our observation of the campaigns, we noted that, Earth Preta abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as rar/zip/jar) and distributed through Google Drive links. Users are then lured into downloading and triggering the malware to execute,  TONEINS, TONESHELL, and PUBLOAD. PUBLOAD has been previously reported, but we add new technical insights in this entry that tie it to TONEINS and TONESHELL, newly discovered malware families used by the group for its campaigns.

In addition, the actors leverage different techniques for evading detection and analysis, like code obfuscation and custom exception handlers. We also found that the senders of the spear-phishing emails and the owners of Google Drive links are the same. Based on the sample documents that were used for luring the victims, we also believe that the attackers were able to conduct research and, potentially, prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts.

In this blog entry, we discuss Earth Preta’s new campaign and its tactics, techniques, and procedures (TTPs), including new installers and backdoors. Last, we share how security practitioners can track malware threats similar to those that we have identified.

Initial compromise and targets

Based on our monitoring of this threat,  the decoy documents are written in Burmese, and the contents are “လျှို့ဝှက်ချက်” (“Internal-only”). Most of the topics in the documents are controversial issues between countries and contain words like “Secret” or “Confidential.”  These could indicate that the attackers are targeting Myanmar government entities as their first entry point. This could also mean that the attackers have already compromised specific political entities prior to the attack, something that Talos Intelligence had also previously noted.  

The attackers use the stolen documents as decoys to trick the targeted organizations working with Myanmar government offices into downloading and executing the malicious files. The victimology covers a broad range of organizations and verticals worldwide, with a higher concentration in the Asia Pacific region. Apart from the government offices with collaborative work in Myanmar, subsequent victims included the education and research industries, among others. In addition to decoy topics covering ongoing international events concerning specific organizations, the attackers also lure individuals with subject headings pertaining to pornographic materials.

Read More HERE