Researchers have uncovered a large-scale phishing campaign aimed at the government, academic, foundation, and research sectors, with a focus on Australia, Japan, Taiwan, Myanmar, and the Philippines.
The campaign was observed from March 2022 to October 2022 and it is tied to an Advanced Persistent Threat (APT) group known as Earth Preta (also known as Mustang Panda and Bronze President). Earth Preta is well known for developing its own loaders and using them in conjunction with existing tools like PlugX and Cobalt Strike to compromise.
In the latest campaign, Earth Preta exploited fake Google accounts to spread malware via spear-phishing emails, the malware was initially stored in an archive file (such as a rar/zip/jar file) and distributed through Google Drive links. Throughout the campaign, researchers discovered new malware families utilized by the gangs (TONEINS and TONESHELL), including PUBLOAD, a previously disclosed malware.
PUBLOAD – A stager capable of downloading next-stage payload from its command and control (C&C) server. Cisco Talos initially revealed this in May 2022.
TONEINS – A first stage of malware that will install the TONESHELL backdoor and establishes the persistence for it.
TONESHELL – Mostly utilized backdoor in this campaign. It is a shellcode loader that uses a 32-byte key stored in memory to load and decode the backdoor shellcode.
Additionally, the threat actors employ a variety of techniques, including code obfuscation and unique exception handlers, to avoid discovery and analysis. Also, the senders of the spear-phishing emails and the owners of Google Drive URLs were discovered to be the same.
“we also believe that the attackers were able to conduct research and, potentially, prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts.”
At least three types of arrival vectors were observed in the latest campaign as the intrusions’ entry points, including over 30 lure archives around the world distributed via Google Drive links, Dropbox links, or other IP addresses hosting the files.
Researchers concluded from their analysis that after the gang has gained access to a victim’s networks, the sensitive data they have taken can be manipulated as entry points for the subsequent wave of intrusions.
They also share some mitigation plans including: