![](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/23\/Earth-Preta2-641.jpg\")
<\/p>\n<\/p>\n
<\/div>\nWe categorize the different TTPs into six stages: arrival vectors, discovery, privilege escalation, lateral movement, command and control (C&C) and exfiltration, respectively. In our previous research<\/a>, we covered most of the new TTPs and malware during the first stage, arrival vectors. However, we observed that some of TTPs have been changed. In the following sections, we focus on the updated arrival vectors and their succeeding stages.<\/p>\n We previously summarized the arrival vectors used by Earth Preta by categorizing them into three types (DLL sideloading, shortcut links, and fake file extensions). Starting in October and November 2022, we observed that the threat actors began changing their TTPs to deploy the TONEINS, TONESHELL, and PUBLOAD malware, and QMAGENT malware. We believe that the threat actors are employing these new techniques to avoid detection.<\/p>\n Based on our earlier observation, the TONEINS and TONESHELL malware were downloaded from the Google Drive link embedded in the body of an email. To bypass email-scanning services and email gateway solutions, the Google Drive link has now been embedded in a lure document. The document lures users into downloading a malicious password-protected archive with the embedded link. The files can then be extracted inside via the password provided in the document. By using this technique, the malicious actor behind the attack can successfully bypass scanning services.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n For the new arrival vector, the whole infection flow has been changed to the procedure shown in Figure 3.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n After analyzing the downloaded archive, we discovered it to be a malicious RAR file with the TONEINS malware libcef.dll<\/i> and the TONESHELL malware ~List of terrorist personnel at the border.docx<\/i>. The infection flow for these is similar to the arrival vector type C in our previous report, with the only difference being that the fake .docx files have XOR-encrypted content to prevent detection. For example, ~$Evidence information.docx<\/i> is a file disguising itself as an Office Open XML document. As such, it seems harmless and can even be opened by using decompression software such as 7-Zip.<\/p>\n We found that the threat actors have hidden a PE file in one of the archive\u2019s ZIPFILERECORD structures. The TONEINS malware, libcef.dll<\/i>, will decrypt this file with a single byte in XOR operations, find the PE header, and drop the payload to the specified path.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n The succeeding behaviors of the infection flow are generally the same as those in our previous analysis, where we provide more details.<\/p>\n In more recent cases, the malware PUBLOAD was also being delivered through Google Drive links embedded in decoy documents.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Since October 2022, we have been observing a new variant of PUBLOAD, which uses the spoofed HTTP header to transfer the data, as LAC\u2019s report<\/a> also discusses. In contrast to the previous PUBLOAD variant, it prepends an HTTP header with a legitimate-looking host name to the packets. We believe that the threat actors are trying to conceal malicious data among normal traffic. The data in the HTTP body is the same as the past variant, which has the same magic bytes 17 03 03<\/i> and the encrypted victim information. We were able to successfully retrieve the payload from a live C&C server and were therefore able to continue our analysis.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Once the payload is received, it will check if the first three magic bytes are 17 03 03<\/i> and if the following two bytes are the size of payload. It will then decrypt the encrypted payload with the predefined RC4 key 78 5A 12 4D 75 14 14 11 6C 02 71 15 5A 73 05 08 70 14 65 3B 64 42 22 23 20 00 00 00 00 00 00 00<\/i>, which is the same as the one used in the PUBLOAD loader. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n After decryption, it then checks if the first byte of the decrypted payload is 0x06<\/i>. The decrypted payload contains another payload that is XOR-encrypted with the bytes 23 BE 84 E1 6C D6 AE 52 90<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n After this is decrypted, there is yet another final backdoor payload that supports data upload and command execution.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n In addition, we found some interesting debug strings and event names among the PUBLOAD samples.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n In summary, we think that the new TONESHELL and PUBLOAD archives have been evolving and now have something in common. For example, both of them are now being placed in decoy documents (such as Google Drive links) in order to bypass antivirus scanning.<\/p>\n Once the threat actors obtain access to the victim\u2019s environment, they can start inspecting the environment via the following commands:<\/p>\n net user<\/span><\/p>\n net user <username><\/p>\n net user <username> \/DOMAIN<\/p>\n Privilege escalation<\/span><\/p>\n In this campaign, we discovered several tools used for UAC bypass in Windows 10. We will go into detail for each of them.<\/p>\n HackTool.Win32.ABPASS is a tool used to bypass UAC in Windows 10. Based on our analysis, it reuses codes from the function ucmShellRegModMethod3<\/a>, which is from a famous open-source project called UACME<\/a>. A report from Sophos<\/a> introduces this tool. \ufffc<\/p>\n This tool accepts an argument, and the following data is written into registry:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n It also changes how Windows handles the ms-settings<\/i> protocol \u2014 in this case, the string ms-settings<\/i> is a Programmatic Identifier (ProgID)<\/a>. If the CurVer<\/a> key is set under a ProgID, it will be used for versioning and mapping the current ProgID (ms-settings<\/i>) to the one specified in the CurVer\u2019s default value. In turn, the behavior of ms-settings<\/i> is redirected to the custom defined ProgID aaabbb32<\/i>. It also sets up a new ProgID aaabbb32<\/i> and its shell<\/a> open command. Finally, fodhelper.exe<\/i> or computerDefaults.exe<\/i> will be executed to trigger the ms-settings<\/i> protocol.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n HackTool.Win32.CCPASS is another tool that is also used for Windows 10 UAC bypass and similarly reuses codes from the function ucmMsStoreProtocolMethod<\/a> in the project UACME<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n It works in a similar way to ABPASS. However, unlike ABPASS, it hijacks the ms-windows-store<\/i> protocol. The hack tool CCPASS works as follows:<\/p>\n In Windows 10 and above, the system shows a new toast dialog for selecting the open application for the selected file type. To hide this window, the tool explicitly adds new entries to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\ApplicationAssociationToasts<\/i> to disable all toasts related to the protocol ms-windows-store<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Once this is done, the tool starts to alter the shell command of ms-windows-store<\/i> and finally triggers it using WSReset.exe<\/i>.<\/p>\n In Windows 10, there is a native Windows service called \u201cSilentCleanup.\u201d This service has the highest privileges that can be abused for Windows 10 UAC bypass. Normally, this service is intended for running %windir%\\system32\\cleanmgr.exe<\/i>. However, the environment variable %windir%<\/i> can be hijacked and changed to any path to achieve privilege escalation.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n We observed that the threat actors used this technique to execute c:\\users\\public\\1.exe<\/i>.<\/p>\n In this stage, we observed certain malware such as HIUPAN and ACNSHELL (initially introduced and analyzed by Mandiant<\/a> and Sophos<\/a>) being used to install themselves to removable disks and create a reverse shell.<\/p>\n We found a pair of malware comprised of a USB worm and a reverse shell \u2014includin g a USB worm and a reverse shell (detected as Worm.Win32.HIUPAN and Backdoor.Win32.ACNSHELL, respectively,) \u2014 being used to spreadfor spreading themselves over removable drives., which we detected as Worm.Win32.HIUPAN and Backdoor.Win32.ACNSHELL. This These malware wereas detailed and introducedpreviously discussed in the reports published by Mandiant<\/a> and Sophos<\/a>.<\/p>\n Figure 18 shows the infection chain for both.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n The USB Driver.exe<\/i> program first sideloads u2ec.dll<\/i>, which then loads the payload file usb.ini<\/i>. They have the following PDB strings, respectively:<\/p>\n The string U\u76d8\u52ab\u6301<\/i> means \u201cU disk hijacking,\u201d where \u201cU disk\u201d refers to removable drives.<\/p>\n USB Driver.exe<\/i> then starts checking whether it is properly installed. If it is installed, it will start to infect more removable disks and copy files to a folder named autorun.inf<\/i>. If it is not installed, it installs itself to %programdata%<\/i> and then sets the registry run key for persistence.<\/p>\n Finally, the ACNSHELL malware rzlog4cpp.dll<\/i> is sideloaded. It will then create a reverse shell via ncat.exe<\/i> to the server closed[.]theworkpc[.]com<\/i>.<\/p>\n Earth Preta employed several tools and commands for the C&C stage. For example, the group used certutil.exe<\/i> to download the legitimate WinRAR binary as rar1.exe<\/i> from the server 103[.]159[.]132[.]91.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n We also observed that the threat actors used PowerShell to download multiple malware and archives from the server 103[.]159[.]132[.]181 for future use.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n In certain instances, they even leveraged the WinRAR binary installed on the victim hosts to decompress all the malware.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Although we found several logs involving multiple pieces of dropped malware, we only managed to retrieve a few of them. Among all our collected samples, we will introduce the most noteworthy ones.<\/p>\n The file name of the backdoor CLEXEC is SensorAware.dll<\/i>. This is a simple backdoor that is capable of executing commands and clearing event logs.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n The backdoor COOLCLIENT was first introduced in a report from Sophos<\/a>; the sample mentioned in the report was compiled in 2021. In our case, the COOLCLIENT sample we analyzed had a more recent compilation time in 2022, and while it provides the same functionalities, it has the added capability to open a decoy document (work.pdf<\/i>) when the current process name has \u201c.pdf\u201d or \u201c.jpg\u201d file extensions. It contains also possesses the ability to reduce debug strings (less OutputDebugStrings calls). Meanwhile, loader.ja<\/i> is used under two processes: One is under googleupdate.exe<\/i>, which is used for the first sideloading. The second is under winver.exe<\/i>, which is injected to conduct backdoor behaviors. Furthermore, COOLCLIENT applies obfuscation techniques that we discuss in later sections.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Figure 24 shows the whole execution flow of COOLCLIENT.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n The arguments of COOLCLIENT provide the following capabilities:<\/p>\n install.<\/b> There are three conditions different ways to decide the method of installation for COOLCLIENT, detailed here:<\/p>\n work.<\/b> The malware will continue to read and decrypt goopdate.ja<\/i> and inject it into winver.exe<\/i> for the next-stage payload (COOLCLIENT), which contains malicious behaviors.<\/p>\n passuac.<\/b> The malware will check if the process avp.exe<\/i> exists. If avp.exe<\/i> doesn\u2019t exist, UAC bypass will be executed via the CMSTPLUA COM interface. If avp.exe<\/i> exists, UAC bypass will be executed via the AppInfo RPC service.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Based on the class name used in COOLCLIENT, we learned thaAccording to our analysis, it reads the encrypted configuration filecan expand the C&C server via time.sig<\/i>., an encrypted configuration. It is also able to communicate through different network protocols such as UDP (User Datagram Protocol) and TCP (Transmission Control Protocol). Based on some internal strings and the APIs used by Earth Preta, the functionalities of this backdoor can be inferred as follows:<\/p>\n The backdoor TROCLIENT, which was also first disclosed in Sophos\u2019s report, is similar to COOLCLIENT. However, this backdoor has an anti-debugging technique, which will check if the running processes have the strings dbg.exe<\/i> or olly<\/i>. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n Figure 28 shows the whole execution flow of TROCLIENT.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n The arguments of TROCLIENT provide the following capabilities:<\/p>\n install.<\/b> There are two waysto determine the method of installation for TROCLIENT, detailed here:<\/p>\n online:<\/b> It will read the next stage payloads, free.plg<\/i> and main.plg<\/i>, and inject them into dllhost.exe.<\/i><\/p>\n passuac:<\/b> The malware will check if the process avp.exe<\/i> exists. If it does not, UAC bypass is executed via the CMSTPLUA COM interface. If avp.exe<\/i> exists, UAC bypass is executed via token manipulation<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/span><\/h2>\n
\n\n\nTable 1. Files in the new arrival vector<\/h5>\n<\/p><\/div>\n
\n\n\n\n<\/span><\/h2>\n
\n\n\n\n\n\n\n\n\nTable 2. Command codes in the PUBLOAD HTTP variant<\/h5>\n<\/p><\/div>\n
\n\n\n\n<\/span><\/h2>\n
\nTable 3. Registry keys changed by ABPASS<\/h5>\n<\/p><\/div>\n
\n\n\n\n<\/span><\/h2>\n
\n\n\n
\n\n<\/span><\/h2>\n
\n\n<\/span><\/h2>\n
\n\n\n
\n\n\n\n\n\n\n\n<\/span><\/h2>\n
\n\n\n\n\n
\n\n\n
\n\n<\/span><\/h2>\n
\n\n\n\n\n