Earth Preta Spear-Phishing Governments Worldwide

In our observation of the campaigns, we noted that, Earth Preta abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as rar/zip/jar) and distributed through Google Drive links. Users are then lured into downloading and triggering the malware to execute, TONEINS, TONESHELL, and PUBLOAD. PUBLOAD has been previously reported, but we add new technical insights in this entry that tie it to TONEINS and TONESHELL, newly discovered malware families used by the group for its campaigns.

In addition, the actors leverage different techniques for evading detection and analysis, like code obfuscation and custom exception handlers. We also found that the senders of the spear-phishing emails and the owners of Google Drive links are the same. Based on the sample documents that were used for luring the victims, we also believe that the attackers were able to conduct research and, potentially, prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts.

In this blog entry, we discuss Earth Preta's new campaign and its tactics, techniques, and procedures (TTPs), including new installers and backdoors. Last, we share how security practitioners can track malware threats similar to those that we have identified.

Initial compromise and targets

Based on our monitoring of this threat, the decoy documents are written in Burmese, and the contents are "လျှို့ဝှက်ချက်" ("Internal-only"). Most of the topics in the documents are controversial issues between countries and contain words like "Secret" or "Confidential."  These could indicate that the attackers are targeting Myanmar government entities as their first entry point. This could also mean that the attackers have already compromised specific political entities prior to the attack, something that Talos Intelligence had also previously noted.

The attackers use the stolen documents as decoys to trick the targeted organizations working with Myanmar government offices into downloading and executing the malicious files. The victimology covers a broad range of organizations and verticals worldwide, with a higher concentration in the Asia Pacific region. Apart from the government offices with collaborative work in Myanmar, subsequent victims included the education and research industries, among others. In addition to decoy topics covering ongoing international events concerning specific organizations, the attackers also lure individuals with subject headings pertaining to pornographic materials.

Figure 2. Distribution of Earth Preta's targeted industries

Analyzing the routines

Figure 3. Earth Preta attack campaign routine from March to October 2022

Earth Preta uses spear-phishing emails as its first step for intrusion. As aforementioned, some of the emails' subjects and contents discuss geopolitical topics, while others might contain sensational subjects. We observed that all the emails we analyzed had the Google Drive links embedded in them, which points to how users might be tricked into downloading the malicious archives. The file types of the archives include compressed files such as .rar, .zip, and .jar, to name a few. Upon accessing the links, we learned that the archives contain the malware TONEINS, TONESHELL, and PUBLOAD malware families.

Figure 4. Email document sample of meeting minutes, likely stolen from a prior compromise

Spear-phishing emails

We analyzed the contents of the emails and observed that a Google Drive link is used as a lure for victims. The email's subject might be empty or might have the same name as the malicious archive. Rather than add the victims' addresses to the email's "To" header, the threat actors used fake emails. Meanwhile, the real victims' addresses were written in the "CC" header, likely to evade security analysis and slow down investigations. Using open-source intelligence (OSINT) tool GHunt to probe those Gmail addresses in the "To" section, we found these fake accounts with little information in them.

Moreover, we observed that some of the senders might be compromised email accounts from a specific organization. Victims might be convinced that these mails were sent from trusted partners, increasing the chances that recipients will select the malicious links.

Decoy documents

We also found some decoy documents linked to the organizations related to or working with Myanmar government entities. The first decoy's file name is Assistance and Recovery(china).exe, while another decoy .PDF document ("ပြည်ထောင်စုသမ္မတမြန်မာနိုင်ငံတော်သံရုံး.pdf, meaning "Embassy of the Republic of Myanmar") was observed in a compressed file named Assistance and Recovery(china).rar. Allegedly, this is a document containing the ambassador's report in rough meeting schedules between the embassies of Myanmar and China.

Another document is related to the Japan Society for the Promotion of Science (JSPS), an initiative that provides researchers opportunities to conduct and undergo research exchanges in Japan. Notably, the documents in the compressed file attachment(EN).rar are mostly image files. The malicious DLL and the executable, which are used for the next layer of sideloading, are also included among them.

Figure 5. Sample decoy documents relating to government meetings (left) and overseas research exchange (right)

There are also other decoy documents with diverse content themes, including regional affairs and pornography. However, when the victim opens the fake document file in this folder, no corresponding content appears.

Arrival vectors

We observed at least three types of arrival vectors as the intrusions' entry points, including over 30 lure archives around the world distributed via Google Drive links, Dropbox links, or other IP addresses hosting the files. In most of the archives we collected, there are legitimate executables, as well as the sideloaded DLL. The names of the archives and the decoy documents vary in each case. In the following sections, we take some of them as examples and share the TTPs of each.

Type A: DLL sideloading

In this case, there are three files in the archive: "~," Increasingly confident US is baiting China.exe, and libcef.dll. Notably, the names of the lure documents and executables can be different, as detailed in the next sections.

Filename	Detection	Description
220509 - (Cabinet Meeting 2022).zip	"~"		Lure document
Increasingly confident US is baiting China.exe		Legitimate executable for DLL sideloading
libcef.dll	Trojan.Win32.PUBLOAD	Malicious DLL

Table 1. Files in the archive of Type A

Figure 6. An example of a decoy document from the PUBLOAD archives

Inside the archive, the "~" file is a lure document. The executable Increasingly confident US is baiting China.exe is a legitimate executable (originally named adobe_licensing_wf_helper.exe, which is the Adobe Licensing WF Helper). This executable will sideload the malicious libcef.dll and trigger the export function cef_api_hash.

When executed for the first time, the executable tries to install the malware by copying the .exe file and moving libcef.dll (detected by Trend Micro as Trojan.Win32.PUBLOAD) to <%PUBLIC%> Both .exe and .dll files will be renamed C:\Users\Public\Pictures\adobe_wf.exe and C:\Users\Public\Pictures\libcef.dll, respectively. Additionally, "~" is renamed as 05-09-2022.docx and dropped to the Desktop.

Figure 7. Type A's malicious routine

Type B: Shortcut links

The malicious archive contains three files: New Word Document.lnk, putty.exe, and CefBrowser.dll. In particular, the DLL and executable files are placed in multiple layers of folders named "_".

Filename	Detection	Description
Desktop.rar	New Word Document.lnk		Installer
_\_\_\_\_\_\putty.exe		Legitimate executable for DLL sideloading
_\_\_\_\_\_\CefBrowser.dll	Backdoor.Win32.TONESHELL	Malicious DLL

Table 2. Files in the archive of Type B

The threat actor utilizes the .lnk file to install the malicious files by decompressing the archive file with WinRAR. The full command line is as follows.

%ComSpec% /c "_\_\_\_\_\_\putty.exe||(forfiles /P %APPDATA%\..\..\ /S /M Desktop.rar /C "cmd /c (c:\progra~1\winrar\winrar.exe x -inul -o+ @path||c:\progra~2\winrar\winrar.exe x -inul -o+ @path)&&_\_\_\_\_\_\putty.exe")"

Pputty.exe is masquerading as a normal executable; its original file name is AppXUpdate.exe. When it is executed, it sideloads CefBrowser.dll and executes the main routine in its export function, CCefInterface::SubProcessMain. It also abuses schtasks for persistence.

Figure 8. Type B's malicious routine

Type C: Fake file extensions

In this case, China VS Taiwan.rar contains several files, including:

Filename	Detection	Description
China VS Taiwan.rar	China VS Taiwan.exe		First-stage legitimate executable for DLL sideloading
libcef.dll	Trojan.Win32.TONEINS	First-stage malware
~$20220817.docx		Second-stage legitimate executable for DLL sideloading
~$20220617(1).docx	Backdoor.Win32.TONESHEL	Second-stage malware
15-8-2022.docx		Decoy document
China VS Taiwan(1).docx		Decoy document

Table 3. Files in the archive of Type C

libcef.dll (detected by Trend Micro as Trojan.Win32.TONEINS) is an installer for the next-stage malware. It copies two files with names starting with "~", in this case, ~$20220817.docx and ~$20220617(1).docx to <%USERPROFILE%\Pictures>. Both files have fake file extensions and masquerade as the temporary files generated while opening Microsoft Office software.</p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig9_Earth%20Preta.png" alt="Type C's malicious routine"> <figcaption>Figure 9. Type C's malicious routine</figcaption> </figure> </div> <div class="richText"> <div> <p><b><span class="body-subhead-title">Malware</span></b></p> <p>In this campaign, we identified the following malware used, namely PUBLOAD, TONEINS, and TONESHELL.</p> <p><b>Trojan.Win32.PUBLOAD</b></p> <p>PUBLOAD is a stager that can download the next-stage payload from its command-and-control (C&C) server. This malware was first disclosed by <a href="https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html">Cisco Talos</a> in May 2022.</p> <p>Once the <i>.dll</i> is executed, it first checks if the same process is already running by calling OpenEventA. According to the tweet posted by <a href="http://barberousse/">Barberousse</a>, some noteworthy event names are identified as usernames of other cybersecurity researchers on Twitter, such as "<a href="https://twitter.com/58_158_177_102">moto_sato</a>", "<a href="https://twitter.com/CrazymanArmy">xaacrazyman_armyCIAx</a>," and "<a href="https://twitter.com/_JohnHammond">JohnHammondTeam</a>." It is important to note that these researchers have nothing to do with PUBLOAD but were simply and intentionally mentioned by the threat actors in the binaries. </p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig10_Earth%20Preta.png" alt="An example of the special event name in PUBLOAD"> <figcaption>Figure 10. An example of the special event name in PUBLOAD</figcaption> </figure> </div> <div class="richText"> <div> <p><b>Persistence</b></p> <p>PUBLOAD creates a directory in <<i>C:\Users\Public\Libraries\></i> and drops all the malware, including the malicious DLL and the legitimate executable, into the directory. It then tries to establish persistence in one of the following ways:</p> <p>1. Adding a registry run key</p> <p><span class="blockquote">cmd.exe /C reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v Graphics /t REG_SZ /d \"Rundll32.exe SHELL32.DLL,ShellExec_RunDLL \"C:\\Users\\Public\\Libraries\\Graphics\\AdobeLicensing.exe\"\" /f</span></p> <p>2. Creating a schedule task</p> <p><span class="blockquote">schtasks.exe /F /Create /TN Microsoft_Licensing /sc minute /MO 1 /TR C:\\Users\\Public\\Libraries\\Graphics\\AdobeLicensing.exe</span></p> <p><b>Anti-Antivirus: API with callback</b></p> <p>PUBLOAD malware decrypts the shellcode in AES algorithm in memory. The shellcode is invoked by creating a thread or using different APIs. The APIs can accept an argument of a callback function, working as an alternative to trigger the shellcode. We observed several leveraged APIs including GrayStringW, EnumDateFormatsA, and LineDDA, and can be considered as a technique to bypass antivirus monitoring and detection. </p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig11_Earth%20Preta.png" alt="An example of shellcode callback in PUBLOAD"> <figcaption>Figure 11. An example of shellcode callback in PUBLOAD</figcaption> </figure> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig12_Earth%20Preta.png" alt="APIs that accept a callback function"> <figcaption>Figure 12. APIs that accept a callback function</figcaption> </figure> </div> <div class="richText"> <div> <p><b>C&C protocol</b></p> <p>The decrypted PUBLOAD shellcode collects the computer name and the username as the payload of the first beacon. The payload will then be encrypted with the predefined RC4 (Rivest Cipher 4) key. As of this writing, all the stagers we have seen so far share the same key.</p> <p>After the encryption, the stager uses a specific byte sequence as its packet's header. It prepends the magic bytes "17 03 03" and the payload size before the encrypted data.</p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig%2013_Earth%20Preta.jpg" alt="The RC4 key used (top) and the packet body in PUBLOAD malware (bottom)"> <figcaption>Figure 13. The RC4 key used (top) and the packet body in PUBLOAD malware (bottom)</figcaption> </figure> </div> <div class="richText"> <div class="responsive-table-wrap"> <table cellpadding="1" cellspacing="0" border="1" width="100%"> <tbody><tr><td><b>Name</b></td> <td><b>Offset</b></td> <td><b>Size</b></td> <td><b>Description</b></td> </tr><tr><td>magic</td> <td>0x0</td> <td>0X3</td> <td>17 03 03</td> </tr><tr><td>size</td> <td>0x3</td> <td>0x2</td> <td>Payload size</td> </tr><tr><td>payload</td> <td>0x5</td> <td>[size]</td> <td style="text-align: left;">Payload</td> </tr></tbody></table> <p style="text-align: center;">Table 4. Request packet format in PUBLOAD</p> <p>The stager also checks if the response packet has the same magic header, "17 03 03". If so, the downloaded payload in memory will be treated as a piece of shellcode and will be executed directly.</p> <p><b>Noteworthy debug strings</b></p> <p>In early 2022, we found some samples of PUBLOAD embedded with debug strings. They are used to distract analysts from the main infection routines.</p> </div> </div> <div class="richText"> <div> <p>The stager also checks if the response packet has the same magic header, "17 03 03". If so, the downloaded payload in memory will be treated as a piece of shellcode and will be executed directly.</p> <p><b>Noteworthy debug strings</b></p> <p>In early 2022, we found some samples of PUBLOAD embedded with debug strings. They are used to distract analysts from the main infection routines.</p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig14_Earth%20Preta.png" alt="The distracting debug strings in PUBLOAD"> <figcaption>Figure 14. The distracting debug strings in PUBLOAD</figcaption> </figure> </div> <div class="richText"> <div> <p>After US House Speaker Nancy Pelosi's visit to Taiwan in August, we found an archive file named <i>"裴洛西訪台後民意匯總.rar" </i>(translated as "The public opinion summary of Pelosi's visit to Taiwan") in Traditional Chinese, but we could only get one of the malicious DLLs inside the archive file. Since the topic indicated in the file name itself is considered a controversial topic, it appears potentially catchy to the targeted recipient. The DLL turned out to be a PUBLOAD stager with several output debug strings.</p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig15_Earth%20Preta.png" alt="Debug strings in PUBLOAD"> <figcaption>Figure 15. Debug strings in PUBLOAD</figcaption> </figure> </div> <div class="richText"> <div> <p><b>Trojan.Win<a name="_Int_7zOeu8kd" id="_Int_7zOeu8kd"></a>32.TONEINS</b></p> <p>Trojan.Win32.TONEINS is the installer for TONESHELL backdoors. The installer drops the TONESHELL malware to the <i>%PUBLIC%</i> folder and establishes the persistence for it. TONEINS malware usually comes in the lure archives, and in most cases, the name of the TONEINS DLL is <i>libcef.dll</i>. The malicious routine is triggered via calling its export function <i>cef_api_hash</i>.</p> <p>The TONEINS malware is obfuscated, likely to slow down malware analysis. It contains a lot of junk codes in its control flow and has plenty of useless XOR instructions as though to imply that these are used to decode strings. Upon checking, we found that these obfuscated codes were reused from an <a href="https://github.com/Tai7sy/vs-obfuscation">open-source repository</a>.</p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig16_Earth%20Preta.png" alt="Code obfuscation in TONEINS"> <figcaption>Figure 16. Code obfuscation in TONEINS</figcaption> </figure> </div> <div class="richText"> <div> <p>The installer establishes the persistence for TONESHELL backdoors by using the following<i> schtasks </i>command:</p> <p><span class="blockquote">schtasks /create /sc minute /mo 2 /tn "ServiceHub.TestWindowStoreHost" /tr "C:\Users\Public\Pictures\ServiceHub.TestWindowStoreHost.exe" /f</span></p> <p>Based on our observations, the file names for the dropped TONESHELL malware differ in case, and so do the names of the scheduled tasks. After persistence is established, TONESHELL then copies the legitimate executable and the malicious DLL to the <i style="">%PUBLIC%</i> folder, wherein both files have names that start with "~" in the lure archive. In this sample, <i style="">~$20220817.docx</i> is a legitimate executable used for DLL sideloading, and <i style="">~$20220617(1).docx</i> is the TONESHELL backdoor DLL to be installed.<br> </p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig17_Earth%20Preta.png" alt="Files with fake file extensions"> <figcaption>Figure 17. Files with fake file extensions</figcaption> </figure> </div> <div class="richText"> <div> <p><b>Backdoor.Win32.TONESHELL</b></p> <p>The TONESHELL malware is the main backdoor used in this campaign. It is a shellcode loader that loads and decodes the backdoor shellcode with a 32-byte key in memory. In the earlier version of TONESHELL, it has the capabilities from TONEINS malware, including establishing persistence and installing backdoors. However, the more recent version of TONESHELL is a standalone backdoor without any installer capabilities (such as the file <i>~$Talk points.docx</i>). It is also obfuscated in a similar fashion to TONEINS malware, indicating that the actors continue to update the arsenal and separate the tools in order to bypass detection.</p> <p><b>Anti-Analysis: Process name check</b></p> <p>In order to make sure that the TONESHELL is installed correctly, Backdoor.Win32.TONESHELL first checks if the process path matches the expected one. If so, the malicious code could be triggered by the custom exception handler.</p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig18_Earth%20Preta.png" alt="Process name check in TONESHELL"> <figcaption>Figure 18. Process name check in TONESHELL</figcaption> </figure> </div> <div class="richText"> <div> <p><b>Anti-Analysis: Custom exception handler in C++</b></p> <p>Interestingly, the adversary hides the actual code flow with the implementation of custom exception handlers. Different exception handlers will be invoked based on the result of the process name check, continuing the malicious routine by triggering the exception with the call <i>_CxxThrowException</i>. After it is invoked, the C++ runtime will find the corresponding exception handler from the <i>ThrowInfo</i> structure all the way down to the <i>CatchProc</i> member in the <i>_msRttiDscr</i> structure, which contains the real malicious codes. In this sample, the exception handler is located at the offset 0x10005300. This technique not only hides the execution flow but also stops the execution of the analyst's debugger.</p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig19_Earth%20Preta.png" alt="Figure 19. Data workflow of exception handling in C++; the CatchProc member in the yellow circle is the malicious exception handler to be invoked"> <figcaption>Figure 19. Data workflow of exception handling in C++; the CatchProc member in the yellow circle is the malicious exception handler to be invoked</figcaption> </figure> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig20_Earth%20Preta.png" alt="The main malicious routine in the exception handler"> <figcaption>Figure 20. The main malicious routine in the exception handler</figcaption> </figure> </div> <div class="richText"> <div> <p><b>Anti-Analysis: ForegroundWindow check</b></p> <p>Looking at more recent TONESHELL samples, we noticed that a new anti-sandbox technique is added compared to the earlier versions. The newer versions invoke the GetForegroundWindow API twice and check if there is any window switch. If the environment is a sandbox, both calls will get the same window handle because there is no human interaction involved in most sandboxes, resulting in the foreground window not changing. In addition, as an anti-sandbox and delayed execution technique, the malicious routine can only be triggered if the foreground window has already been switched for the fifth time.</p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig21_Earth%20Preta.png" alt="GetForegroundWindow check in newer TONESHELL samples"> <figcaption>Figure 21. GetForegroundWindow check in newer TONESHELL samples</figcaption> </figure> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig22_Earth%20Preta.png" alt="Malicious routine triggered on the fifth window switch"> <figcaption>Figure 22. Malicious routine triggered on the fifth window switch</figcaption> </figure> </div> <div class="richText"> <div> <p><b>Shellcode decoding</b></p> <p>After the malicious exception handler is triggered, it starts to decode the next-stage TONESHELL shellcode. To decode the shellcode, it first decodes a 32-byte key in XOR operations with 0x7D, and the key will then be used to decode the shellcode body.</p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig%2023_Earth%20Preta.jpg" alt="Figure 23. An example of the 32-byte key (top) and the TONESHELL shellcode before decoding (middle) and after decoding (bottom)"> <figcaption>Figure 23. An example of the 32-byte key (top) and the TONESHELL shellcode before decoding (middle) and after decoding (bottom)</figcaption> </figure> </div> <div class="richText"> <div> <p><b>Evolving variants</b></p> <p>After our analysis and further threat hunting, we found several variants of TONESHELL shellcode:</p> <table cellpadding="1" cellspacing="0" border="1" width="100%"> <tbody><tr><td><b>First observed</b></td> <td><b>Variant</b></td> <td><b>Protocol</b></td> <td><b>C&C encryption</b></td> <td><b>Supported functions</b></td> </tr><tr><td>May 2022</td> <td>A </td> <td>Raw TCP</td> <td>RC4</td> <td><ul> <li><span class="rte-red-bullet">File upload</span></li> <li><span class="rte-red-bullet">File download</span></li> <li><span class="rte-red-bullet">File execution</span></li> <li><span class="rte-red-bullet">Lateral movement</span></li> </ul> </td> </tr><tr><td>Jul 2022</td> <td>B</td> <td>Raw TCP</td> <td>32-byte XOR</td> <td><ul> <li><span class="rte-red-bullet">File upload</span></li> <li><span class="rte-red-bullet">Lateral movement</span></li> </ul> </td> </tr><tr><td>Sep 2021</td> <td>C</td> <td>HTTP</td> <td>RC4</td> <td><ul> <li><span class="rte-red-bullet">File upload</span></li> <li><span class="rte-red-bullet">File execution</span></li> </ul> </td> </tr></tbody></table> <p style="text-align: center;">Table 5. Differences between TONESHELL variants</p> <p><b>Variant A</b></p> <p>TONESHELL supports up to 10 C&C servers by design, but in all the samples we encountered only one C&C server was used. Before connecting to the C&C server, it generates a victim ID (the variable <i>unique_id</i>) with the victim's volume serial and the computer name, or with a randomly generated GUID.</p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig24_Earth%20Preta.png" alt="Finding 10 C&C servers supported in TONESHELL"> <figcaption>Figure 24. Finding 10 C&C servers supported in TONESHELL</figcaption> </figure> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig25_Earth%20Preta.png" alt="The algorithm used to generate the victim's ID in TONESHELL variant A"> <figcaption>Figure 25. The algorithm used to generate the victim's ID in TONESHELL variant A</figcaption> </figure> </div> <div class="richText"> <div> <p>In the first beacon, it collects the following data from the victim's machine and sends them to the C&C server:</p> <ol> <li>Current process ID</li> <li>Volume serial</li> <li>Username</li> <li>Computer name</li> <li>Product name</li> <li>Operating system bit</li> <li>Processes list</li> </ol> <p>TONESHELL communicates over raw TCP, with the request header and the response header starting with the specific magic byte sequence "17 03 03". Based on our research, this magic header is used in all TONESHELL TCP variants and the identified PUBLOAD malware. The payload in the packet will be encrypted in RC4 algorithm. In this variant, its request packet format is as follows:</p> <table cellpadding="1" cellspacing="0" border="1" width="100%"> <tbody><tr><td><b>Name</b></td> <td><b>Offset</b></td> <td><b>Size </b></td> <td><b>Description </b></td> </tr><tr><td>magic</td> <td>0x0</td> <td>0x3</td> <td>17 03 03</td> </tr><tr><td>size</td> <td>0x3</td> <td>0x2</td> <td>Payload size</td> </tr><tr><td>type</td> <td>0x5</td> <td>0x1</td> <td>Connection type, 0x2</td> </tr><tr><td>unique_id</td> <td>0x6</td> <td>0x4</td> <td>Victim ID</td> </tr><tr><td>payload</td> <td>0x10</td> <td>[size]</td> <td>Payload</td> </tr></tbody></table> <p style="text-align: center;">Table 6. Request packet format in TONESHELL variant A<br> </p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig26_Earth%20Preta.png" alt="Packet header check in TONESHELL (all TCP variants and stagers)"> <figcaption>Figure 26. Packet header check in TONESHELL (all TCP variants and stagers)</figcaption> </figure> </div> <div class="richText"> <div> <p>The backdoor supports various functions, including file upload, file download, file execution, and lateral movement. We also noticed that its internal strings are self-explanatory. In fact, this malware is named TONESHELL after the typo found in its command "TOnePipeShell". The following table shows all of its commands:</p> <table cellpadding="1" cellspacing="0" border="1" width="100%"> <tbody><tr><td><b>Code</b></td> <td><b>Internal string</b></td> <td><b>Additional description</b></td> </tr><tr><td>0x1</td> <td>-</td> <td>Reset OnePipeShell & TwoPipeShell</td> </tr><tr><td>0x7</td> <td>-</td> <td>Reset OnePipeShell & TwoPipeShell</td> </tr><tr><td>0x3</td> <td>-</td> <td>Unknown</td> </tr><tr><td>0x4</td> <td>- </td> <td>Change sleep seconds</td> </tr><tr><td>0x1A</td> <td>Upload file begin</td> <td> </td> </tr><tr><td>0x1B</td> <td>Upload file begin</td> <td> </td> </tr><tr><td>0x1D</td> <td>Upload file cancel</td> <td> </td> </tr><tr><td>0x1C</td> <td>Upload file Endup</td> <td> </td> </tr><tr><td>0x10</td> <td>Exec file</td> <td> </td> </tr><tr><td>0x21</td> <td>Create TOnePipeShell</td> <td>OnePipeShell: one-way shell over one named pipe (meant for data exchange on intranet)</td> </tr><tr><td>0x22</td> <td>OnePipeShell Close</td> <td> </td> </tr><tr><td>0x1E</td> <td>TwoPipeShell Create</td> <td>TwoPipeShell: two-way shell over two named pipes (meant for data exchange on intranet)</td> </tr><tr><td>0x1F</td> <td>TwoPipeShell Write File</td> <td> </td> </tr><tr><td>0x20</td> <td>TwoPipeShell Close</td> <td> </td> </tr><tr><td>0x18</td> <td>Download</td> <td> </td> </tr><tr><td>0x19</td> <td>CDownUpLoad</td> <td> </td> </tr><tr><td>0x21</td> <td>-</td> <td>Exit</td> </tr></tbody></table> <p style="text-align: center;">Table 7. Command codes in TONESHELL variant A</p> <p><b>Variant B</b></p> <p>TONESHELL variant B is slightly different from variant A wherein the victim ID is generated from the tick count, username, and computer name instead.</p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig27_Earth%20Preta.png" alt="Different algorithm for the victim ID generation in TONESHELL variant B"> <figcaption>Figure 27. Different algorithm for the victim ID generation in TONESHELL variant B</figcaption> </figure> </div> <div class="richText"> <div> <p>The backdoor's protocol is also different. The payload in the packet is encoded with a random 32-byte key, and the key differs from packet to packet. The new key is generated whenever a new request is made.</p> <table cellpadding="1" cellspacing="0" border="1" width="100%"> <tbody><tr><td><b>Name</b></td> <td><b>Offset</b></td> <td><b>Size</b></td> <td><b>Description</b></td> </tr><tr><td>magic</td> <td>0x0</td> <td>0x3</td> <td>17 03 03</td> </tr><tr><td>size</td> <td>0x3</td> <td>0x2</td> <td>Payload size</td> </tr><tr><td>key</td> <td>0x5</td> <td>0x20</td> <td>32-byte XOR key</td> </tr><tr><td>payload</td> <td>0x25</td> <td>[size]</td> <td>Payload</td> </tr></tbody></table> <p style="text-align: center;">Table 8. Request packet format in TONESHELL variant B</p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig28_Earth%20Preta.png" alt="In TONESHELL variant B, the payload will be encoded in XOR operations before a request is made."> <figcaption>Figure 28. In TONESHELL variant B, the payload will be encoded in XOR operations before a request is made.</figcaption> </figure> </div> <div class="richText"> <div> <p>The command codes in this variant are as follows:</p> <table cellpadding="1" cellspacing="0" border="1" width="100%"> <tbody><tr><td><b>Code</b></td> <td><b>Internal string</b></td> <td><b>Description</b></td> </tr><tr><td>0x9</td> <td>-</td> <td>Reset OnePipeShell</td> </tr><tr><td>0xA</td> <td>-</td> <td>Reset OnePipeShell</td> </tr><tr><td>0x3</td> <td>-</td> <td>Unknown</td> </tr><tr><td>0x4</td> <td>- </td> <td>Change sleep seconds</td> </tr><tr><td>0x4</td> <td>Upload file begin</td> <td> </td> </tr><tr><td>0x5</td> <td>Upload file write</td> <td> </td> </tr><tr><td>0x7</td> <td>Upload file cancel</td> <td> </td> </tr><tr><td>0x6</td> <td>Upload file Endup</td> <td> </td> </tr><tr><td>0x3</td> <td>Create TOnePipeShell</td> <td> </td> </tr></tbody></table> <p style="text-align: center;">Table 9. Command codes in TONESHELL Variant B</p> <p><b>Variant C</b></p> <p>During our research, we hunted a dumped TONESHELL shellcode from VirusTotal (SHA256: 521662079c1473adb59f2d7134c8c1d76841f2a0f9b9e6e181aa54df25715a09). Our analysis showed it works similar to the two different variants, but the C&C protocol used is HTTP. It seems to be the earlier version of TONESHELL because the sample was uploaded in September 2021, and uses the POST method for the first beacon. The following data is collected from the victim's machine:</p> <ol> <li>Memory size</li> <li>Username</li> <li>Computer name</li> <li>Disk size</li> <li>Operating system bit</li> <li>Product name</li> </ol> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig29_Earth%20Preta.png" alt="The first HTTP beacon request in TONESHELL Variant C"> <figcaption>Figure 29. The first HTTP beacon request in TONESHELL Variant C</figcaption> </figure> </div> <div class="richText"> <div> <p>The victim's ID (specified by the "Guid" header in the first beacon and later used in the "Cookie" header) is also generated from a random GUID. The body is also encrypted in RC4, and the command codes are much like Variant B as follows:</p> <table cellpadding="1" cellspacing="0" border="1" width="100%"> <tbody><tr><td><b>Code</b></td> <td><b>Internal string</b></td> <td><b>Additional description</b></td> </tr><tr><td>0x2</td> <td>-</td> <td>Reset OnePipeShell</td> </tr><tr><td>0x7</td> <td>-</td> <td>Reset OnePipeShell</td> </tr><tr><td>0x3</td> <td>-</td> <td>Unknown</td> </tr><tr><td>0x4</td> <td>-</td> <td>Change sleep seconds</td> </tr><tr><td>0x1A</td> <td>Upload file begin</td> <td> </td> </tr><tr><td>0x1B</td> <td>Upload file write</td> <td> </td> </tr><tr><td>0x1D</td> <td>Upload file cancel</td> <td> </td> </tr><tr><td>0x1C</td> <td>Upload file Endup</td> <td> </td> </tr><tr><td>0x10</td> <td>Exec file</td> <td> </td> </tr></tbody></table> <p style="text-align: center;">Table 10. Command codes in TONESHELL variant C</p> <h1><span class="body-subhead-title">Threat hunting</span></h1> <p>We observed that several TONESHELL and TONEINS malware samples were uploaded to VirusTotal in recent months. With the help of these, we collected several Google Drive links, such as 770d5b60d8dc0f32941a6b530c9598df92a7ec76b60309aa8648f9b3a3f3cca5.</p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig30_Earth%20Preta.png" alt="Example of a Google Drive link, found in the wild, containing both TONESHELL and TONEINS"> <figcaption>Figure 30. Example of a Google Drive link, found in the wild, containing both TONESHELL and TONEINS</figcaption> </figure> </div> <div class="richText"> <div> <p>Usually, we see such download links as the first arrival vectors. The Google Drive direct download link is represented in the format <i>https[:]//drive.google.com/uc?id=gdrive_file_id&export=download</i>. The <i>gdrive_file_id</i> is a unique identifier for this specific file. We can switch to web viewer to check its file contents and its owner by modifying the URL: <i>https[:]//drive.google.com/file/d/<b>gdrive_file_id</b>/view.</i></p> <p>In the details panel, we can find the owner of this file, and by hovering on the icon we can get the email address.</p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig31_Earth%20Preta.png" alt="The web viewer of Google Drive"> <figcaption>Figure 31. The web viewer of Google Drive</figcaption> </figure> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig32_Earth%20Preta.png" alt="The file owner's name and email address"> <figcaption>Figure 32. The file owner's name and email address</figcaption> </figure> </div> <div class="richText"> <div> <p>We can conduct further research with this specific email account. For example, after our investigation, we know that the actors abused the same email address to store the lure archives in Google Drive, as well as deliver the phishing email. If we hunt for this specific email address in the monitoring logs, we might find more distributed malware.</p> <h1><span class="body-subhead-title">Attribution</span></h1> <p>The observed TTPs in this campaign are similar to the campaign mentioned by <a href="https://www.secureworks.com/blog/bronze-president-targets-government-officials">Secureworks</a>. Both campaigns abused the <i>.lnk</i> files to trigger the malware. Compared to the said report's observations, the archive we found in this campaign share similar folder structures.</p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig33_Earth%20Preta.png" alt="Similar folder structure of BRONZE PRESIDENT (left) and Earth Preta (right)"> <figcaption>Figure 33. Similar folder structure of BRONZE PRESIDENT (left) and Earth Preta (right)</figcaption> </figure> </div> <div class="richText"> <div> <p>Based on the same report, Bronze President was known to be leveraging APIs with a callback function argument to invoke the shellcode like EnumThreadWindows. Similar techniques are also used in PUBLOAD malware.</p> <p>In addition, we also spotted a link between the two campaigns: One of the C&C servers (98[.]142[.]251[.]29) can be correlated to a shortcut file. This shortcut file appears in one lure archive "<i>EU 31^st session of the Commission on Crime Prevention and Criminal Justice United Nations on Drugs and Crime.rar</i>" (SHA256: 09fc8bf9e2980ebec1977a8023e8a2940e6adb5004f48d07ad34b71ebf35b877), which the Secureworks report also mentioned. We used the tool <a href="https://github.com/EricZimmerman/LECmd">LECmd</a> to parse the shortcut files wherein we found the specific C&C string inside the metadata of the .lnk file. It seems that the actor used the C&C string as the folder name.</p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/Fig34_Earth%20Preta.png" alt="Metadata of the .lnk file (SHA256: a693b9f9ffc5f4900e094b1d1360f7e7b907c9c8680abfeace34e1a8e380f405)"> <figcaption>Figure 34. Metadata of the .lnk file (SHA256: a693b9f9ffc5f4900e094b1d1360f7e7b907c9c8680abfeace34e1a8e380f405)</figcaption> </figure> </div> <div class="richText"> <div> <p>Third, the infection chains mentioned by<a href="https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html"> Cisco Talos</a> also resemble what we have observed recently:</p> <ol> <li>Both use <i>schtasks</i> and registry run key for persistence.</li> <li>Both use benign executables for DLL sideloading.</li> <li>Both use malicious archives for arrival vectors.</li> </ol> <p>Most importantly, the stager mentioned in the report uses the same magic header (17 03 03) as TONESHELL does in the C&C communication protocol, thereby solidifying these malware families' link to Earth Preta.</p> <h1><span class="body-subhead-title">Conclusion</span></h1> <p>Earth Preta is a cyberespionage group known to develop their own loaders in combination with existing tools like PlugX and Cobalt Strike for compromise. Recent research papers show that it is constantly updating its toolsets and indicate that it is further expanding its capabilities.</p> <p>Based on our analysis, once the group has infiltrated a targeted victim's systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions. This strategy largely broadens the affected scope in the region involved. For the group's objectives, the targeted area appears to be the countries in Asia.</p> <p>As part of organizational mitigation plans, we recommend implementing continuous phishing awareness trainings for partners and employees. We advise always checking the sender and the subject twice before opening an email, especially with an unidentifiable sender or an unknown subject. We also recommend a multi-layered protection solution is recommended to detect and block threats as far left to the malware infection chain as possible.</p> <p><span class="body-subhead-title">MITRE ATT&CK</span></p> </div> </div> <div class="image"> <figure class="image-figure"> <img src="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/MITRE_Earth%20Preta.png" alt="MITRE ATT&CK table"> <figcaption>MITRE ATT&CK table</figcaption> </figure> </div> <div class="richText"> <div> <h1><span class="body-subhead-title">Indicators of Compromise (IOCs)</span></h1> <p>The full list of IOCs can be found <a href="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/IOCs-earth-preta-spear-phishing-since-march.txt" target="_blank">here</a>.</p> </div> </div> </div> <section class="tag--list"> <div class="tag--list-title">Tags</div> <div class="tag--list-tags"> <a href="https://www.trendmicro.com/en_us/research.html?category=trend-micro-research:threats/apt-and-targeted-attacks" class="tag--list-anchor">APT & Targeted Attacks</a> <span class="tag--list-separator" role="separator">|</span> <a href="https://www.trendmicro.com/en_us/research.html?category=trend-micro-research:environments/endpoints" class="tag--list-anchor">Endpoints</a> <span class="tag--list-separator" role="separator">|</span> <a href="https://www.trendmicro.com/en_us/research.html?category=trend-micro-research:article-type/research" class="tag--list-anchor">Research</a> <span class="tag--list-separator" role="separator">|</span> <a href="https://www.trendmicro.com/en_us/research.html?category=trend-micro-research:medium/article" class="tag--list-anchor">Articles, News, Reports</a> </div> </section>