Hackers evolves techniques needed to bypass cybersecurity solutions
According to a recent campaign by Earth Preta, nation-state hackers aligned with China are becoming increasingly adept at circumventing security solutions. The threat actor has been active since at least 2012 and is known by the names Bronze President, HoneyMyte, Mustang Panda, RedDelta, and Red Lich.
The group initiates attack chains with spear-phishing emails, deploying a range of tools for backdoor access, command-and-control (C2), and data exfiltration. The messages come bearing malicious lure archives distributed via Dropbox or Google Drive links that employ DLL side-loading, LNK shortcut files, and fake file extensions as arrival vectors to obtain a foothold and drop backdoors like TONEINS, TONESHELL, PUBLOAD, and MQsTTang (aka QMAGENT).
According to a new analysis published by Trend Micro, “Earth Preta tends to hide malicious payloads in fake files, disguising them as legitimate ones – a technique that has been proven effective for avoiding detection”. This entry point method, first detected last year, has since been modified. The download link to the archive is embedded within another decoy document and the file is password-protected to sidestep email gateway solutions.
The researchers said, “The files can then be extracted inside via the password provided in the document. By using this technique, the malicious actor behind the attack can successfully bypass scanning services.”
Once the hackers gain initial access to the victim’s environment, they proceed to the account discovery and privilege escalation phases. Mustang Panda leverages custom tools like ABPASS and CCPASS to circumvent User Account Control (UAC) in Windows 10.
Furthermore, the threat actor has been observed deploying malware such as “USB Driver.exe” (HIUPAN or MISTCLOAK) and “rzlog4cpp.dll” (ACNSHELL or BLUEHAZE) to install themselves to removable disks and create a reverse shell with the goal of laterally moving across the network.
Other utilities deployed include CLEXEC, a backdoor capable of executing commands and clearing event logs; COOLCLIENT and TROCLIENT, implants that are designed to record keystrokes as well as read and delete files; and PlugX. “Apart from well-known legitimate tools, the threat actors also crafted highly customized tools used for exfiltration,” the researchers noted. This comprises NUPAKAGE and ZPAKAGE, both of which are equipped to collect Microsoft Office files.
The research shows that Chinese cyber espionage actors are increasing their operational tempo and consistently investing in advancing their cyber weaponry to evade detection. “Earth Preta is a capable and organized threat actor that is continuously honing its TTPs, strengthening its development capabilities, and building a versatile arsenal of tools and malware,” the researchers concluded.
The sources for this piece include an article in TheHackerNews.