Phishing, Content, Content, Content

Cyber Attacker Earth Preta in Spear Phishing Campaign Via Google Drive Links

A wave of spear phishing attacks are targeting the government, academic, foundations, and research sectors in the Asia Pacific region, Trend Micro said in a new report.

Spear phishing is a phishing method that targets specific individuals or groups within an organization.

Earth Preta Attack Identified

The attacks, which Trend Micro has observed in the wild, appear to be the centerpiece of a wide scale espionage campaign carried out by a notorious APT group dubbed Earth Preta (aka, Mustang Panda and Bronze President) that began around March 2022. At this point, the operatives have targeted Myanmar, Australia, the Philippines, Japan and Taiwan, but there is reason to believe that other countries have been earmarked by the crew.

Here’s how an attack works: (via Trend Micro)

  • Earth Preta abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as rar/zip/jar) and distributed through Google Drive links.
  • Users are then lured into downloading and triggering the malware to execute, TONEINS, TONESHELL, and PUBLOAD. PUBLOAD has been previously reported, but it is tied to TONEINS and TONESHELL, newly discovered malware families used by the group for its campaigns.
  • The actors use code obfuscation and custom exception handlers and other techniques to evading detection and analysis.

Spear Phishing Emails Linked to Google Drive

In its observations in the wild, Trend Micro discovered that the senders of the spear phishing emails and the owners of Google Drive links are the same.

As Trend Micro researchers wrote:

“Based on the sample documents that were used for luring the victims, we also believe that the attackers were able to conduct research and, potentially, prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts. Some of the emails’ subjects and contents discuss geopolitical topics, while others might contain sensational subjects. All of the emails Trend Micro analyzed had the Google Drive links embedded in them."

To not be victimized by Earth Preta, Trend Micro recommends companies implement ongoing phishing awareness training for partners and employees. Email recipients should be advised to check the sender and the subject twice before opening an email, especially with an unidentifiable sender or an unknown subject. Users should also use a multi-layered protection solution to detect and block threats.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.