Earth Preta Targets Multiple Sectors With Large-Scale Spear-Phishing

The campaign

• Active since March, it is sending spear-phishing emails using fake Google accounts. These emails deliver a malware-embedded malicious archive file through Google Drive links, Dropbox links, or other IP addresses hosting the files.
• The archive file (such as rar/zip/jar) contains legitimate executables, as well as sideloaded DLLs. These files are indeed stolen documents from targeted organizations. Owners of Google Drive links and senders of the spear-phishing emails are the same.
• The emails lure the targeted victims with subject headings pertaining to geopolitical discussions, regional affairs, and pornographic materials. It tricks them into downloading and executing TONEINS, TONESHELL, and PUBLOAD malware.

About the malware

• First disclosed in May, PUBLOAD is a stager that can download the next-stage payload from its C2 server. Embedded with debug strings, PUBLOAD is capable of distracting analysts from the main infection routines.
• TONESHELL is a shellcode loader and a standalone backdoor without any installer capabilities. It is obfuscated to slow down malware analysis and contains anti-sandbox and anti-analysis techniques.
• TONEINS works as the installer for TONESHELL backdoors and it establishes the persistence for TONESHELL malware.

Additional insights

• Earth Preta uses code obfuscation and custom exception handlers for evading detection and analysis.
• It uses stolen documents and familiar account names connected to specific organizations to lure the victims. It indicates that the attackers were able to conduct research and, potentially, prior breaches on the target organizations.
• The names of the stolen files suggest it had breached the Embassy of the Republic of Myanmar, the Japan Society for the Promotion of Science (JSPS), and others.

Conclusion