www.trendmicro.com
Open in
urlscan Pro
23.203.87.70
Public Scan
URL:
https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
Submission: On November 28 via api from IN — Scanned from DE
Submission: On November 28 via api from IN — Scanned from DE
Form analysis 3 forms found in the DOM
<form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
</tr>
</tbody>
</table>
</div>
</form><form class="main-menu-search" aria-label="Search Trend Micro">
<div class="main-menu-search__field-wrapper" id="cludo-search-form-mobile">
<table cellspacing="0" cellpadding="0" class="gsc-search-box" style="width:100%">
<tbody>
<tr>
<td class="gsc-input">
<input type="text" size="10" class="gsc-input" name="search" title="search" placeholder="Search Trend Micro" autocomplete="off">
</td>
<td class="gsc-search-close collapsed" style="width:1%;" data-target="#search-mobile-wrapper" data-toggle="collapse">
<span class="icon-close"></span>
</td>
</tr>
</tbody>
</table>
</div>
</form>POST #
<form class="acsb-form" data-acsb-search="form" enctype="multipart/form-data" action="#" method="POST"> <input type="text" tabindex="0" name="acsb_search" autocomplete="off" placeholder="Unclear content? Search in dictionary..."
aria-label="Unclear content? Search in dictionary..."> <i class="acsbi-search"></i> <i class="acsbi-chevron_down"></i> </form>Text Content
Skip to Content
↵ENTER
Skip to Menu
↵ENTER
Skip to Footer
↵ENTER
Microsoft Exchange Server Security Alert: Attacks Employ Zero-Day
Vulnerabilities | How to stay protected >
dismiss
3 Alerts
* How Underground Groups Use Stolen Identities and Deepfakes
dismiss
Learn more
* Attack Surface Management 2022 Midyear Review
dismiss
Read blog
* Microsoft Exchange Server Security Alert: Attacks Employ Zero-Day
Vulnerabilities
dismiss
How to stay protected
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Log In
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
Free trials
* Cloud
* Detection and Response
* User Protection
Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
Business
For Home
Products Products
Trend Micro One - our unified cybersecurity platform >
Hybrid Cloud Security
Workload Security
Conformity
Container Security
File Storage Security
Application Security
Network Security
Open Source Security
Network Security
Intrusion Prevention
Advanced Threat Protection
Industrial Network Security
Mobile Network Security
Zero Trust Secure Access
User Protection
Endpoint Security
Email Security
Mobile Security
Web Security
Industrial Endpoint
Detection & Response
XDR
Attack Surface Risk Management
Powered by
AI/Machine Learning
Global Threat Intelligence
All Products & Trials
Our Unified Platform
Service Packages
Small & Midsize Business Security
Solutions Solutions
For Cloud
Cloud Migration
Cloud-Native App Development
Cloud Operational Excellence
Data Center Security
SaaS Applications
Internet of Things (IoT)
ICS / OT
Connected Car
5G Security for Enterprises
Risk Management
Ransomware
Cyber Insurance
End-of-Support Systems
Compliance
Detection and Response
Industries
Healthcare
Manufacturing
Oil & Gas
Electric Utility
Federal
Why Trend Micro Why Trend Micro
The Trend Micro Difference
Customer Successes
The Human Connection
Strategic Alliances
Industry Leadership
Research Research
Research
About Our Research
Research and Analysis
Research, News and Perspectives
Security Reports
Security News
Zero Day Initiative (ZDI)
Blog
Research by Topic
Vulnerabilities
Annual Predictions
The Deep Web
Internet of Things (IoT)
Resources
DevOps Resource Center
CISO Resource Center
What Is?
Threat Encyclopedia
Cloud Health Assessment
Cyber Risk Assessment
Enterprise Guides
Glossary of Terms
EXPLORE THE CYBER RISK INDEX (CRI)
Use the CRI to assess your organization’s preparedness against attacks, and get
a snapshot of cyber risk across organizations globally.
Calculate your risk
Services & Support Services & Support
Services
Service Packages
Managed XDR
Support Services
Business Support
Log In to Support
Technical Support
Virus & Threat Help
Renewals & Registration
Education & Certification
Contact Support
Downloads
Free Cleanup Tools
Find a Support Partner
For Popular Products
Deep Security
Apex One
Worry-Free
Worry-Free Renewals
Partners Partners
Channel Partners
Channel Partner Overview
Managed Service Provider
Cloud Service Provider
Professional Services
Resellers
Marketplace
System Integrators
Alliance Partners
Alliance Overview
Technology Alliance Partners
Our Alliance Partners
Tools and Resources
Find a Partner
Education and Certification
Partner Successes
Distributors
Partner Login
Company Company
Overview
Leadership
Customer Success Stories
Human Connections
Strategic Alliances
Industry Accolades
Newsroom
Webinars
Events
Security Experts
Careers
History
Corporate Social Responsibility
Diversity, Equity & Inclusion
Trust Center
Internet Safety and Cybersecurity Education
Investors
Legal
×
Folio (0)
3 Alerts
* How Underground Groups Use Stolen Identities and Deepfakes
dismiss
Learn more
* Attack Surface Management 2022 Midyear Review
dismiss
Read blog
* Microsoft Exchange Server Security Alert: Attacks Employ Zero-Day
Vulnerabilities
dismiss
How to stay protected
* No new notifications at this time.
Download
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
Buy
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
Region
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
Log In
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
Free trials
* Cloud
* Detection and Response
* User Protection
Folio (0)
Contact Us
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
* How Underground Groups Use Stolen Identities and Deepfakes
dismiss
Learn more
* Attack Surface Management 2022 Midyear Review
dismiss
Read blog
* Microsoft Exchange Server Security Alert: Attacks Employ Zero-Day
Vulnerabilities
dismiss
How to stay protected
* No new notifications at this time.
* Scan Engines
* All Pattern Files
* All Downloads
* Subscribe to Download Center RSS
* Find a Partner
* Home Office Online Store
* Renew Online
* Free Tools
* Contact Sales
* Locations Worldwide
* 1-888-762-8736 (M-F 8am - 5pm CST)
* Small Business
* Buy Online
* Renew Online
* The Americas
* United States
* Brasil
* Canada
* México
* Middle East & Africa
* South Africa
* Middle East and North Africa
* Europe
* België (Belgium)
* Česká Republika
* Danmark
* Deutschland, Österreich Schweiz
* España
* France
* Ireland
* Italia
* Nederland
* Norge (Norway)
* Polska (Poland)
* Suomi (Finland)
* Sverige (Sweden)
* Türkiye (Turkey)
* United Kingdom
* Asia & Pacific
* Australia
* Центральная Азия (Central Asia)
* Hong Kong (English)
* 香港 (中文) (Hong Kong)
* भारत गणराज्य (India)
* Indonesia
* 日本 (Japan)
* 대한민국 (South Korea)
* Malaysia
* Монголия (Mongolia) and рузия (Georgia)
* New Zealand
* Philippines
* Singapore
* 台灣 (Taiwan)
* ประเทศไทย (Thailand)
* Việt Nam
* My Support
* Log In to Support
* Partner Portal
* Home Solutions
* My Account
* Lost Device Portal
* Trend Micro Vault
* Password Manager
* Customer Licensing Portal
* Online Case Tracking
* Premium Support
* Worry-Free Business Security Services
* Remote Manager
* Cloud One
* Referral Affiliate
* Referral Affiliate
* Cloud
* Detection and Response
* User Protection
* Contact Sales
* Locations
* Support
* Find a Partner
* Learn of upcoming events
* Social Media Networks
* Facebook
* Twitter
* Linkedin
* Youtube
* Instagram
* 1-888-762-8736 (M-F 8-5 CST)
undefined
APT & Targeted Attacks
Earth Preta Spear-Phishing Governments Worldwide
Subscribe
Content added to Folio
Folio (0) close
APT & Targeted Attacks
EARTH PRETA SPEAR-PHISHING GOVERNMENTS WORLDWIDE
We break down the cyberespionage activities of advanced persistent threat (APT)
group Earth Preta, observed in large-scale attack deployments that began in
March. We also show the infection routines of the malware families they use to
infect multiple sectors worldwide: TONEINS, TONESHELL, and PUBLOAD.
By: Nick Dai, Vickie Su, Sunny Lu November 18, 2022 Read time: 16 min (4199
words)
Save to Folio
Subscribe
--------------------------------------------------------------------------------
We have been monitoring a wave of spear-phishing attacks targeting the
government, academic, foundations, and research sectors around the world. Based
on the lure documents we observed in the wild, this is a large-scale
cyberespionage campaign that began around March. After months of tracking, the
seemingly wide outbreak of targeted attacks includes but not limited to Myanmar,
Australia, the Philippines, Japan and Taiwan. We analyzed the malware families
used in this campaign and attributed the incidents to a notorious advanced
persistent threat (APT) group called Earth Preta (also known as Mustang Panda
and Bronze President).
Figure 1. Country distribution of Earth Preta attacks from May to October 2022
In our observation of the campaigns, we noted that, Earth Preta abused fake
Google accounts to distribute the malware via spear-phishing emails, initially
stored in an archive file (such as rar/zip/jar) and distributed through Google
Drive links. Users are then lured into downloading and triggering the malware to
execute, TONEINS, TONESHELL, and PUBLOAD. PUBLOAD has been previously reported,
but we add new technical insights in this entry that tie it to TONEINS and
TONESHELL, newly discovered malware families used by the group for its
campaigns.
In addition, the actors leverage different techniques for evading detection and
analysis, like code obfuscation and custom exception handlers. We also found
that the senders of the spear-phishing emails and the owners of Google Drive
links are the same. Based on the sample documents that were used for luring the
victims, we also believe that the attackers were able to conduct research and,
potentially, prior breaches on the target organizations that allowed for
familiarity, as indicated in the abbreviation of names from previously
compromised accounts.
In this blog entry, we discuss Earth Preta’s new campaign and its tactics,
techniques, and procedures (TTPs), including new installers and backdoors. Last,
we share how security practitioners can track malware threats similar to those
that we have identified.
Initial compromise and targets
Based on our monitoring of this threat, the decoy documents are written in
Burmese, and the contents are "လျှို့ဝှက်ချက်" (“Internal-only”). Most of the
topics in the documents are controversial issues between countries and contain
words like "Secret" or “Confidential.” These could indicate that the attackers
are targeting Myanmar government entities as their first entry point. This could
also mean that the attackers have already compromised specific political
entities prior to the attack, something that Talos Intelligence had also
previously noted.
The attackers use the stolen documents as decoys to trick the targeted
organizations working with Myanmar government offices into downloading and
executing the malicious files. The victimology covers a broad range of
organizations and verticals worldwide, with a higher concentration in the Asia
Pacific region. Apart from the government offices with collaborative work in
Myanmar, subsequent victims included the education and research industries,
among others. In addition to decoy topics covering ongoing international events
concerning specific organizations, the attackers also lure individuals with
subject headings pertaining to pornographic materials.
Figure 2. Distribution of Earth Preta’s targeted industries
Analyzing the routines
Figure 3. Earth Preta attack campaign routine from March to October 2022
Earth Preta uses spear-phishing emails as its first step for intrusion. As
aforementioned, some of the emails’ subjects and contents discuss geopolitical
topics, while others might contain sensational subjects. We observed that all
the emails we analyzed had the Google Drive links embedded in them, which points
to how users might be tricked into downloading the malicious archives. The file
types of the archives include compressed files such as .rar, .zip, and .jar, to
name a few. Upon accessing the links, we learned that the archives contain the
malware TONEINS, TONESHELL, and PUBLOAD malware families.
Figure 4. Email document sample of meeting minutes, likely stolen from a prior
compromise
Spear-phishing emails
We analyzed the contents of the emails and observed that a Google Drive link is
used as a lure for victims. The email's subject might be empty or might have the
same name as the malicious archive. Rather than add the victims’ addresses to
the email’s “To” header, the threat actors used fake emails. Meanwhile, the real
victims' addresses were written in the "CC" header, likely to evade security
analysis and slow down investigations. Using open-source intelligence (OSINT)
tool GHunt to probe those Gmail addresses in the “To” section, we found these
fake accounts with little information in them.
Moreover, we observed that some of the senders might be compromised email
accounts from a specific organization. Victims might be convinced that these
mails were sent from trusted partners, increasing the chances that recipients
will select the malicious links.
Decoy documents
We also found some decoy documents linked to the organizations related to or
working with Myanmar government entities. The first decoy's file name is
Assistance and Recovery(china).exe, while another decoy .PDF document
(“ပြည်ထောင်စုသမ္မတမြန်မာနိုင်ငံတော်သံရုံး.pdf, meaning “Embassy of the Republic
of Myanmar") was observed in a compressed file named Assistance and
Recovery(china).rar. Allegedly, this is a document containing the ambassador’s
report in rough meeting schedules between the embassies of Myanmar and China.
Another document is related to the Japan Society for the Promotion of Science
(JSPS), an initiative that provides researchers opportunities to conduct and
undergo research exchanges in Japan. Notably, the documents in the compressed
file attachment(EN).rar are mostly image files. The malicious DLL and the
executable, which are used for the next layer of sideloading, are also included
among them.
Figure 5. Sample decoy documents relating to government meetings (left) and
overseas research exchange (right)
There are also other decoy documents with diverse content themes, including
regional affairs and pornography. However, when the victim opens the fake
document file in this folder, no corresponding content appears.
Arrival vectors
We observed at least three types of arrival vectors as the intrusions' entry
points, including over 30 lure archives around the world distributed via Google
Drive links, Dropbox links, or other IP addresses hosting the files. In most of
the archives we collected, there are legitimate executables, as well as the
sideloaded DLL. The names of the archives and the decoy documents vary in each
case. In the following sections, we take some of them as examples and share the
TTPs of each.
Type A: DLL sideloading
In this case, there are three files in the archive: "~," Increasingly confident
US is baiting China.exe, and libcef.dll. Notably, the names of the lure
documents and executables can be different, as detailed in the next sections.
Filename Detection Description 220509 - (Cabinet Meeting 2022).zip ~ Lure
document Increasingly confident US is baiting China.exe Legitimate executable
for DLL sideloading libcef.dll Trojan.Win32.PUBLOAD Malicious DLL
Table 1. Files in the archive of Type A
Figure 6. An example of a decoy document from the PUBLOAD archives
Inside the archive, the "~" file is a lure document. The executable Increasingly
confident US is baiting China.exe is a legitimate executable (originally named
adobe_licensing_wf_helper.exe, which is the Adobe Licensing WF Helper). This
executable will sideload the malicious libcef.dll and trigger the export
function cef_api_hash.
When executed for the first time, the executable tries to install the malware by
copying the .exe file and moving libcef.dll (detected by Trend Micro as
Trojan.Win32.PUBLOAD) to <%PUBLIC%> Both .exe and .dll files will be renamed
C:\Users\Public\Pictures\adobe_wf.exe and C:\Users\Public\Pictures\libcef.dll,
respectively. Additionally, "~" is renamed as 05-09-2022.docx and dropped to the
Desktop.
Figure 7. Type A’s malicious routine
Type B: Shortcut links
The malicious archive contains three files: New Word Document.lnk, putty.exe,
and CefBrowser.dll. In particular, the DLL and executable files are placed in
multiple layers of folders named “_”.
Filename Detection Description Desktop.rar New Word Document.lnk Installer
_\_\_\_\_\_\putty.exe Legitimate executable for DLL sideloading
_\_\_\_\_\_\CefBrowser.dll Backdoor.Win32.TONESHELL Malicious DLL
Table 2. Files in the archive of Type B
The threat actor utilizes the .lnk file to install the malicious files by
decompressing the archive file with WinRAR. The full command line is as follows.
%ComSpec% /c "_\_\_\_\_\_\putty.exe||(forfiles /P %APPDATA%\..\..\ /S /M
Desktop.rar /C "cmd /c (c:\progra~1\winrar\winrar.exe x -inul -o+
@path||c:\progra~2\winrar\winrar.exe x -inul -o+
@path)&&_\_\_\_\_\_\putty.exe")"
Pputty.exe is masquerading as a normal executable; its original file name is
AppXUpdate.exe. When it is executed, it sideloads CefBrowser.dll and executes
the main routine in its export function, CCefInterface::SubProcessMain. It also
abuses schtasks for persistence.
Figure 8. Type B's malicious routine
Type C: Fake file extensions
In this case, China VS Taiwan.rar contains several files, including:
Filename Detection Description China VS Taiwan.rar China VS Taiwan.exe
First-stage legitimate executable for DLL sideloading libcef.dll
Trojan.Win32.TONEINS First-stage malware ~$20220817.docx Second-stage
legitimate executable for DLL sideloading ~$20220617(1).docx
Backdoor.Win32.TONESHELL Second-stage malware 15-8-2022.docx Decoy document
China VS Taiwan(1).docx Decoy document
Table 3. Files in the archive of Type C
libcef.dll (detected by Trend Micro as Trojan.Win32.TONEINS) is an installer for
the next-stage malware. It copies two files with names starting with "~", in
this case, ~$20220817.docx and ~$20220617(1).docx to <%USERPROFILE%\Pictures>.
Both files have fake file extensions and masquerade as the temporary files
generated while opening Microsoft Office software.
Figure 9. Type C’s malicious routine
Malware
In this campaign, we identified the following malware used, namely PUBLOAD,
TONEINS, and TONESHELL.
Trojan.Win32.PUBLOAD
PUBLOAD is a stager that can download the next-stage payload from its
command-and-control (C&C) server. This malware was first disclosed by Cisco
Talos in May 2022.
Once the .dll is executed, it first checks if the same process is already
running by calling OpenEventA. According to the tweet posted by Barberousse,
some noteworthy event names are identified as usernames of other cybersecurity
researchers on Twitter, such as "moto_sato", "xaacrazyman_armyCIAx," and
"JohnHammondTeam." It is important to note that these researchers have nothing
to do with PUBLOAD but were simply and intentionally mentioned by the threat
actors in the binaries.
Figure 10. An example of the special event name in PUBLOAD
Persistence
PUBLOAD creates a directory in <C:\Users\Public\Libraries\> and drops all the
malware, including the malicious DLL and the legitimate executable, into the
directory. It then tries to establish persistence in one of the following ways:
1. Adding a registry run key
cmd.exe /C reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v
Graphics /t REG_SZ /d \"Rundll32.exe SHELL32.DLL,ShellExec_RunDLL
\"C:\\Users\\Public\\Libraries\\Graphics\\AdobeLicensing.exe\"\" /f
2. Creating a schedule task
schtasks.exe /F /Create /TN Microsoft_Licensing /sc minute /MO 1 /TR
C:\\Users\\Public\\Libraries\\Graphics\\AdobeLicensing.exe
Anti-Antivirus: API with callback
PUBLOAD malware decrypts the shellcode in AES algorithm in memory. The shellcode
is invoked by creating a thread or using different APIs. The APIs can accept an
argument of a callback function, working as an alternative to trigger the
shellcode. We observed several leveraged APIs including GrayStringW,
EnumDateFormatsA, and LineDDA, and can be considered as a technique to bypass
antivirus monitoring and detection.
Figure 11. An example of shellcode callback in PUBLOAD
Figure 12. APIs that accept a callback function
C&C protocol
The decrypted PUBLOAD shellcode collects the computer name and the username as
the payload of the first beacon. The payload will then be encrypted with the
predefined RC4 (Rivest Cipher 4) key. As of this writing, all the stagers we
have seen so far share the same key.
After the encryption, the stager uses a specific byte sequence as its packet’s
header. It prepends the magic bytes "17 03 03" and the payload size before the
encrypted data.
Figure 13. The RC4 key used (top) and the packet body in PUBLOAD malware
(bottom)
Name Offset Size Description magic 0x0 0X3 17 03 03 size 0x3 0x2 Payload size
payload 0x5 [size] Payload
Table 4. Request packet format in PUBLOAD
The stager also checks if the response packet has the same magic header, “17 03
03”. If so, the downloaded payload in memory will be treated as a piece of
shellcode and will be executed directly.
Noteworthy debug strings
In early 2022, we found some samples of PUBLOAD embedded with debug strings.
They are used to distract analysts from the main infection routines.
Figure 14. The distracting debug strings in PUBLOAD
After US House Speaker Nancy Pelosi’s visit to Taiwan in August, we found an
archive file named "裴洛西訪台後民意匯總.rar" (translated as “The public opinion summary
of Pelosi's visit to Taiwan”) in Traditional Chinese, but we could only get one
of the malicious DLLs inside the archive file. Since the topic indicated in the
file name itself is considered a controversial topic, it appears potentially
catchy to the targeted recipient. The DLL turned out to be a PUBLOAD stager with
several output debug strings.
Figure 15. Debug strings in PUBLOAD
Trojan.Win32.TONEINS
Trojan.Win32.TONEINS is the installer for TONESHELL backdoors. The installer
drops the TONESHELL malware to the %PUBLIC% folder and establishes the
persistence for it. TONEINS malware usually comes in the lure archives, and in
most cases, the name of the TONEINS DLL is libcef.dll. The malicious routine is
triggered via calling its export function cef_api_hash.
The TONEINS malware is obfuscated, likely to slow down malware analysis. It
contains a lot of junk codes in its control flow and has plenty of useless XOR
instructions as though to imply that these are used to decode strings. Upon
checking, we found that these obfuscated codes were reused from an open-source
repository.
Figure 16. Code obfuscation in TONEINS
The installer establishes the persistence for TONESHELL backdoors by using the
following schtasks command:
schtasks /create /sc minute /mo 2 /tn "ServiceHub.TestWindowStoreHost" /tr
"C:\Users\Public\Pictures\ServiceHub.TestWindowStoreHost.exe" /f
Based on our observations, the file names for the dropped TONESHELL malware
differ in case, and so do the names of the scheduled tasks. After persistence is
established, TONESHELL then copies the legitimate executable and the malicious
DLL to the %PUBLIC% folder, wherein both files have names that start with “~” in
the lure archive. In this sample, ~$20220817.docx is a legitimate executable
used for DLL sideloading, and ~$20220617(1).docx is the TONESHELL backdoor DLL
to be installed.
Figure 17. Files with fake file extensions
Backdoor.Win32.TONESHELL
The TONESHELL malware is the main backdoor used in this campaign. It is a
shellcode loader that loads and decodes the backdoor shellcode with a 32-byte
key in memory. In the earlier version of TONESHELL, it has the capabilities from
TONEINS malware, including establishing persistence and installing backdoors.
However, the more recent version of TONESHELL is a standalone backdoor without
any installer capabilities (such as the file ~$Talk points.docx). It is also
obfuscated in a similar fashion to TONEINS malware, indicating that the actors
continue to update the arsenal and separate the tools in order to bypass
detection.
Anti-Analysis: Process name check
In order to make sure that the TONESHELL is installed correctly,
Backdoor.Win32.TONESHELL first checks if the process path matches the expected
one. If so, the malicious code could be triggered by the custom exception
handler.
Figure 18. Process name check in TONESHELL
Anti-Analysis: Custom exception handler in C++
Interestingly, the adversary hides the actual code flow with the implementation
of custom exception handlers. Different exception handlers will be invoked based
on the result of the process name check, continuing the malicious routine by
triggering the exception with the call _CxxThrowException. After it is invoked,
the C++ runtime will find the corresponding exception handler from the ThrowInfo
structure all the way down to the CatchProc member in the _msRttiDscr structure,
which contains the real malicious codes. In this sample, the exception handler
is located at the offset 0x10005300. This technique not only hides the execution
flow but also stops the execution of the analyst's debugger.
Figure 19. Data workflow of exception handling in C++; the CatchProc member in
the yellow circle is the malicious exception handler to be invoked
Figure 20. The main malicious routine in the exception handler
Anti-Analysis: ForegroundWindow check
Looking at more recent TONESHELL samples, we noticed that a new anti-sandbox
technique is added compared to the earlier versions. The newer versions invoke
the GetForegroundWindow API twice and check if there is any window switch. If
the environment is a sandbox, both calls will get the same window handle because
there is no human interaction involved in most sandboxes, resulting in the
foreground window not changing. In addition, as an anti-sandbox and delayed
execution technique, the malicious routine can only be triggered if the
foreground window has already been switched for the fifth time.
Figure 21. GetForegroundWindow check in newer TONESHELL samples
Figure 22. Malicious routine triggered on the fifth window switch
Shellcode decoding
After the malicious exception handler is triggered, it starts to decode the
next-stage TONESHELL shellcode. To decode the shellcode, it first decodes a
32-byte key in XOR operations with 0x7D, and the key will then be used to decode
the shellcode body.
Figure 23. An example of the 32-byte key (top) and the TONESHELL shellcode
before decoding (middle) and after decoding (bottom)
Evolving variants
After our analysis and further threat hunting, we found several variants of
TONESHELL shellcode:
First observed Variant Protocol C&C encryption Supported functions May 2022 A
Raw TCP RC4
* File upload
* File download
* File execution
* Lateral movement
Jul 2022 B Raw TCP 32-byte XOR
* File upload
* Lateral movement
Sep 2021 C HTTP RC4
* File upload
* File execution
Table 5. Differences between TONESHELL variants
Variant A
TONESHELL supports up to 10 C&C servers by design, but in all the samples we
encountered only one C&C server was used. Before connecting to the C&C server,
it generates a victim ID (the variable unique_id) with the victim's volume
serial and the computer name, or with a randomly generated GUID.
Figure 24. Finding 10 C&C servers supported in TONESHELL
Figure 25. The algorithm used to generate the victim’s ID in TONESHELL variant A
In the first beacon, it collects the following data from the victim's machine
and sends them to the C&C server:
1. Current process ID
2. Volume serial
3. Username
4. Computer name
5. Product name
6. Operating system bit
7. Processes list
TONESHELL communicates over raw TCP, with the request header and the response
header starting with the specific magic byte sequence "17 03 03". Based on our
research, this magic header is used in all TONESHELL TCP variants and the
identified PUBLOAD malware. The payload in the packet will be encrypted in RC4
algorithm. In this variant, its request packet format is as follows:
Name Offset Size Description magic 0x0 0x3 17 03 03 size 0x3 0x2 Payload size
type 0x5 0x1 Connection type, 0x0 or 0x1 unique_id 0x6 0x4 Victim ID payload
0x10 [size] Payload
Table 6. Request packet format in TONESHELL variant A
Figure 26. Packet header check in TONESHELL (all TCP variants and stagers)
The backdoor supports various functions, including file upload, file download,
file execution, and lateral movement. We also noticed that its internal strings
are self-explanatory. In fact, this malware is named TONESHELL after the typo
found in its command "TOnePipeShell". The following table shows all of its
commands:
Code Internal string Additional description 0x1 - Reset OnePipeShell &
TwoPipeShell 0x7 - Reset OnePipeShell & TwoPipeShell 0x3 - Unknown 0x4 - Change
sleep seconds 0x1A Upload file begin 0x1B Upload file begin 0x1D Upload file
cancel 0x1C Upload file Endup 0x10 Exec file 0x21 Create TOnePipeShell
OnePipeShell: one-way shell over one named pipe (meant for data exchange on
intranet) 0x22 OnePipeShell Close 0x1E TwoPipeShell Create TwoPipeShell:
two-way shell over two named pipes (meant for data exchange on intranet) 0x1F
TwoPipeShell Write File 0x20 TwoPipeShell Close 0x18 Download 0x19
CDownUpLoad 0x21 - Exit
Table 7. Command codes in TONESHELL variant A
Variant B
TONESHELL variant B is slightly different from variant A wherein the victim ID
is generated from the tick count, username, and computer name instead.
Figure 27. Different algorithm for the victim ID generation in TONESHELL variant
B
The backdoor's protocol is also different. The payload in the packet is encoded
with a random 32-byte key, and the key differs from packet to packet. The new
key is generated whenever a new request is made.
Name Offset Size Description magic 0x0 0x3 17 03 03 size 0x3 0x2 Payload size
key 0x5 0x20 32-byte XOR key payload 0x25 [size] Payload
Table 8. Request packet format in TONESHELL variant B
Figure 28. In TONESHELL variant B, the payload will be encoded in XOR operations
before a request is made.
The command codes in this variant are as follows:
Code Internal string Description 0x9 - Reset OnePipeShell 0xA - Reset
OnePipeShell 0x3 - Unknown 0x4 - Change sleep seconds 0x4 Upload file begin
0x5 Upload file write 0x7 Upload file cancel 0x6 Upload file Endup 0x3
Create TOnePipeShell
Table 9. Command codes in TONESHELL Variant B
Variant C
During our research, we hunted a dumped TONESHELL shellcode from VirusTotal
(SHA256: 521662079c1473adb59f2d7134c8c1d76841f2a0f9b9e6e181aa54df25715a09). Our
analysis showed it works similar to the two different variants, but the C&C
protocol used is HTTP. It seems to be the earlier version of TONESHELL because
the sample was uploaded in September 2021, and uses the POST method for the
first beacon. The following data is collected from the victim's machine:
1. Memory size
2. Username
3. Computer name
4. Disk size
5. Operating system bit
6. Product name
Figure 29. The first HTTP beacon request in TONESHELL Variant C
The victim's ID (specified by the "Guid" header in the first beacon and later
used in the "Cookie" header) is also generated from a random GUID. The body is
also encrypted in RC4, and the command codes are much like Variant B as follows:
Code Internal string Additional description 0x2 - Reset OnePipeShell 0x7 - Reset
OnePipeShell 0x3 - Unknown 0x4 - Change sleep seconds 0x1A Upload file begin
0x1B Upload file write 0x1D Upload file cancel 0x1C Upload file Endup 0x10
Exec file
Table 10. Command codes in TONESHELL variant C
THREAT HUNTING
We observed that several TONESHELL and TONEINS malware samples were uploaded to
VirusTotal in recent months. With the help of these, we collected several Google
Drive links, such
as 770d5b60d8dc0f32941a6b530c9598df92a7ec76b60309aa8648f9b3a3f3cca5.
Figure 30. Example of a Google Drive link, found in the wild, containing both
TONESHELL and TONEINS
Usually, we see such download links as the first arrival vectors. The Google
Drive direct download link is represented in the format
https[:]//drive.google.com/uc?id=gdrive_file_id&export=download. The
gdrive_file_id is a unique identifier for this specific file. We can switch to
web viewer to check its file contents and its owner by modifying the URL:
https[:]//drive.google.com/file/d/gdrive_file_id/view.
In the details panel, we can find the owner of this file, and by hovering on the
icon we can get the email address.
Figure 31. The web viewer of Google Drive
Figure 32. The file owner's name and email address
We can conduct further research with this specific email account. For example,
after our investigation, we know that the actors abused the same email address
to store the lure archives in Google Drive, as well as deliver the phishing
email. If we hunt for this specific email address in the monitoring logs, we
might find more distributed malware.
ATTRIBUTION
The observed TTPs in this campaign are similar to the campaign mentioned by
Secureworks. Both campaigns abused the .lnk files to trigger the malware.
Compared to the said report’s observations, the archive we found in this
campaign share similar folder structures.
Figure 33. Similar folder structure of BRONZE PRESIDENT (left) and Earth Preta
(right)
Based on the same report, Bronze President was known to be leveraging APIs with
a callback function argument to invoke the shellcode like EnumThreadWindows.
Similar techniques are also used in PUBLOAD malware.
In addition, we also spotted a link between the two campaigns: One of the C&C
servers (98[.]142[.]251[.]29) can be correlated to a shortcut file. This
shortcut file appears in one lure archive “EU 31st session of the Commission on
Crime Prevention and Criminal Justice United Nations on Drugs and Crime.rar”
(SHA256: 09fc8bf9e2980ebec1977a8023e8a2940e6adb5004f48d07ad34b71ebf35b877),
which the Secureworks report also mentioned. We used the tool LECmd to parse the
shortcut files wherein we found the specific C&C string inside the metadata of
the .lnk file. It seems that the actor used the C&C string as the folder name.
Figure 34. Metadata of the .lnk file (SHA256:
a693b9f9ffc5f4900e094b1d1360f7e7b907c9c8680abfeace34e1a8e380f405)
Third, the infection chains mentioned by Cisco Talos also resemble what we have
observed recently:
1. Both use schtasks and registry run key for persistence.
2. Both use benign executables for DLL sideloading.
3. Both use malicious archives for arrival vectors.
Most importantly, the stager mentioned in the report uses the same magic header
(17 03 03) as TONESHELL does in the C&C communication protocol, thereby
solidifying these malware families’ link to Earth Preta.
CONCLUSION
Earth Preta is a cyberespionage group known to develop their own loaders in
combination with existing tools like PlugX and Cobalt Strike for compromise.
Recent research papers show that it is constantly updating its toolsets and
indicate that it is further expanding its capabilities.
Based on our analysis, once the group has infiltrated a targeted victim’s
systems, the sensitive documents stolen can be abused as the entry vectors for
the next wave of intrusions. This strategy largely broadens the affected scope
in the region involved. For the group’s objectives, the targeted area appears to
be the countries in Asia.
As part of organizational mitigation plans, we recommend implementing continuous
phishing awareness trainings for partners and employees. We advise always
checking the sender and the subject twice before opening an email, especially
with an unidentifiable sender or an unknown subject. We also recommend a
multi-layered protection solution is recommended to detect and block threats as
far left to the malware infection chain as possible.
MITRE ATT&CK
MITRE ATT&CK table
INDICATORS OF COMPROMISE (IOCS)
The full list of IOCs can be found here.
Tags
APT & Targeted Attacks | Endpoints | Research | Articles, News, Reports
AUTHORS
* Nick Dai
Sr. Threat Researcher
* Vickie Su
Threats Analyst
* Sunny Lu
Threats Analyst
Contact Us
Subscribe
RELATED ARTICLES
* Pilfered Keys: Free App Infected by Malware Steals Keychain Data
* Electricity/Energy Cybersecurity: Trends & Survey Response
* Massive Phishing Campaigns Target India Banks’ Clients
See all articles
RECOMMENDED FOR YOU
apt & targeted attacks
HACK THE REAL BOX: APT41’S NEW SUBGROUP EARTH LONGZHI
LEARN MORE
* Contact Sales
* Locations
* Careers
* Newsroom
* Trust Center
* Privacy
* Accessibility
* Support
* Site map
* linkedin
* twitter
* facebook
* youtube
* instagram
* rss
Copyright © 2022 Trend Micro Incorporated. All rights reserved.
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
This website uses cookies for website functionality, traffic analytics,
personalization, social media functionality and advertising. Our Cookie Notice
provides more information and explains how to amend your cookie settings.Learn
more
Cookies Settings Accept
English
Accessibility Adjustments
Reset Settings Statement Hide Interface
Choose the right accessibility profile for you
OFF ON
Seizure Safe Profile Clear flashes & reduces color
This profile enables epileptic and seizure prone users to browse safely by
eliminating the risk of seizures that result from flashing or blinking
animations and risky color combinations.
OFF ON
Vision Impaired Profile Enhances website's visuals
This profile adjusts the website, so that it is accessible to the majority of
visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract,
Glaucoma, and others.
OFF ON
ADHD Friendly Profile More focus & fewer distractions
This profile significantly reduces distractions, to help people with ADHD and
Neurodevelopmental disorders browse, read, and focus on the essential elements
of the website more easily.
OFF ON
Cognitive Disability Profile Assists with reading & focusing
This profile provides various assistive features to help users with cognitive
disabilities such as Autism, Dyslexia, CVA, and others, to focus on the
essential elements of the website more easily.
OFF ON
Keyboard Navigation (Motor) Use website with the keyboard
This profile enables motor-impaired persons to operate the website using the
keyboard Tab, Shift+Tab, and the Enter keys. Users can also use shortcuts such
as “M” (menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics)
to jump to specific elements.
Note: This profile prompts automatically for keyboard users.
OFF ON
Blind Users (Screen Reader) Optimize website for screen-readers
This profile adjusts the website to be compatible with screen-readers such as
JAWS, NVDA, VoiceOver, and TalkBack. A screen-reader is software that is
installed on the blind user’s computer and smartphone, and websites should
ensure compatibility with it.
Note: This profile prompts automatically to screen-readers.
Content Adjustments
Content Scaling
Default
Readable Font
Highlight Titles
Highlight Links
Text Magnifier
Adjust Font Sizing
Default
Align Center
Adjust Line Height
Default
Align Left
Adjust Letter Spacing
Default
Align Right
Color Adjustments
Dark Contrast
Light Contrast
High Contrast
High Saturation
Adjust Text Colors
Cancel
Monochrome
Adjust Title Colors
Cancel
Low Saturation
Adjust Background Colors
Cancel
Orientation Adjustments
Mute Sounds
Hide Images
Read Mode
Reading Guide
Useful Links
Select an option Home Header Footer Main Content
Stop Animations
Reading Mask
Highlight Hover
Highlight Focus
Big Black Cursor
Big White Cursor
HIDDEN_ADJUSTMENTS
Keyboard Navigation
Accessible Mode
Screen Reader Adjustments
Read Mode
Web Accessibility By
Learn More
Choose the Interface Language
English
Español
Deutsch
Português
Français
Italiano
עברית
繁體中文
Pусский
عربى
عربى
Nederlands
繁體中文
日本語
Polski
Türk
Accessibility StatementCompliance status
We firmly believe that the internet should be available and accessible to anyone
and are committed to providing a website that is accessible to the broadest
possible audience, regardless of ability.
To fulfill this, we aim to adhere as strictly as possible to the World Wide Web
Consortium’s (W3C) Web Content Accessibility Guidelines 2.1 (WCAG 2.1) at the AA
level. These guidelines explain how to make web content accessible to people
with a wide array of disabilities. Complying with those guidelines helps us
ensure that the website is accessible to blind people, people with motor
impairments, visual impairment, cognitive disabilities, and more.
This website utilizes various technologies that are meant to make it as
accessible as possible at all times. We utilize an accessibility interface that
allows persons with specific disabilities to adjust the website’s UI (user
interface) and design it to their personal needs.
Additionally, the website utilizes an AI-based application that runs in the
background and optimizes its accessibility level constantly. This application
remediates the website’s HTML, adapts its functionality and behavior for
screen-readers used by blind users, and for keyboard functions used by
individuals with motor impairments.
If you wish to contact the website’s owner please use the website's form
Screen-reader and keyboard navigation
Our website implements the ARIA attributes (Accessible Rich Internet
Applications) technique, alongside various behavioral changes, to ensure blind
users visiting with screen-readers can read, comprehend, and enjoy the website’s
functions. As soon as a user with a screen-reader enters your site, they
immediately receive a prompt to enter the Screen-Reader Profile so they can
browse and operate your site effectively. Here’s how our website covers some of
the most important screen-reader requirements:
1. Screen-reader optimization: we run a process that learns the website’s
components from top to bottom, to ensure ongoing compliance even when
updating the website. In this process, we provide screen-readers with
meaningful data using the ARIA set of attributes. For example, we provide
accurate form labels; descriptions for actionable icons (social media icons,
search icons, cart icons, etc.); validation guidance for form inputs;
element roles such as buttons, menus, modal dialogues (popups), and others.
Additionally, the background process scans all of the website’s images. It
provides an accurate and meaningful image-object-recognition-based
description as an ALT (alternate text) tag for images that are not
described. It will also extract texts embedded within the image using an OCR
(optical character recognition) technology. To turn on screen-reader
adjustments at any time, users need only to press the Alt+1 keyboard
combination. Screen-reader users also get automatic announcements to turn
the Screen-reader mode on as soon as they enter the website.
These adjustments are compatible with popular screen readers such as JAWS,
NVDA, VoiceOver, and TalkBack.
2. Keyboard navigation optimization: The background process also adjusts the
website’s HTML and adds various behaviors using JavaScript code to make the
website operable by the keyboard. This includes the ability to navigate the
website using the Tab and Shift+Tab keys, operate dropdowns with the arrow
keys, close them with Esc, trigger buttons and links using the Enter key,
navigate between radio and checkbox elements using the arrow keys, and fill
them in with the Spacebar or Enter key.
Additionally, keyboard users will find content-skip menus available at any
time by clicking Alt+2, or as the first element of the site while navigating
with the keyboard. The background process also handles triggered popups by
moving the keyboard focus towards them as soon as they appear, not allowing
the focus to drift outside.
Users can also use shortcuts such as “M” (menus), “H” (headings), “F”
(forms), “B” (buttons), and “G” (graphics) to jump to specific elements.
Disability profiles supported on our website
* Epilepsy Safe Profile: this profile enables people with epilepsy to safely
use the website by eliminating the risk of seizures resulting from flashing
or blinking animations and risky color combinations.
* Vision Impaired Profile: this profile adjusts the website so that it is
accessible to the majority of visual impairments such as Degrading Eyesight,
Tunnel Vision, Cataract, Glaucoma, and others.
* Cognitive Disability Profile: this profile provides various assistive
features to help users with cognitive disabilities such as Autism, Dyslexia,
CVA, and others, to focus on the essential elements more easily.
* ADHD Friendly Profile: this profile significantly reduces distractions and
noise to help people with ADHD, and Neurodevelopmental disorders browse,
read, and focus on the essential elements more easily.
* Blind Users Profile (Screen-readers): this profile adjusts the website to be
compatible with screen-readers such as JAWS, NVDA, VoiceOver, and TalkBack. A
screen-reader is installed on the blind user’s computer, and this site is
compatible with it.
* Keyboard Navigation Profile (Motor-Impaired): this profile enables
motor-impaired persons to operate the website using the keyboard Tab,
Shift+Tab, and the Enter keys. Users can also use shortcuts such as “M”
(menus), “H” (headings), “F” (forms), “B” (buttons), and “G” (graphics) to
jump to specific elements.
Additional UI, design, and readability adjustments
1. Font adjustments – users can increase and decrease its size, change its
family (type), adjust the spacing, alignment, line height, and more.
2. Color adjustments – users can select various color contrast profiles such as
light, dark, inverted, and monochrome. Additionally, users can swap color
schemes of titles, texts, and backgrounds with over seven different coloring
options.
3. Animations – epileptic users can stop all running animations with the click
of a button. Animations controlled by the interface include videos, GIFs,
and CSS flashing transitions.
4. Content highlighting – users can choose to emphasize essential elements such
as links and titles. They can also choose to highlight focused or hovered
elements only.
5. Audio muting – users with hearing devices may experience headaches or other
issues due to automatic audio playing. This option lets users mute the
entire website instantly.
6. Cognitive disorders – we utilize a search engine linked to Wikipedia and
Wiktionary, allowing people with cognitive disorders to decipher meanings of
phrases, initials, slang, and others.
7. Additional functions – we allow users to change cursor color and size, use a
printing mode, enable a virtual keyboard, and many other functions.
Assistive technology and browser compatibility
We aim to support as many browsers and assistive technologies as possible, so
our users can choose the best fitting tools for them, with as few limitations as
possible. Therefore, we have worked very hard to be able to support all major
systems that comprise over 95% of the user market share, including Google
Chrome, Mozilla Firefox, Apple Safari, Opera and Microsoft Edge, JAWS, and NVDA
(screen readers), both for Windows and MAC users.
Notes, comments, and feedback
Despite our very best efforts to allow anybody to adjust the website to their
needs, there may still be pages or sections that are not fully accessible, are
in the process of becoming accessible, or are lacking an adequate technological
solution to make them accessible. Still, we are continually improving our
accessibility, adding, updating, improving its options and features, and
developing and adopting new technologies. All this is meant to reach the optimal
level of accessibility following technological advancements. If you wish to
contact the website’s owner, please use the website's form
Hide Accessibility Interface? Please note: If you choose to hide the
accessibility interface, you won't be able to see it anymore, unless you clear
your browsing history and data. Are you sure that you wish to hide the
interface?
Accept Cancel
Continue
Processing the data, please give it a few seconds...
AddThis Sharing Sidebar
Share to FacebookFacebookShare to TwitterTwitterShare to PrintPrintMore AddThis
Share optionsAddThis
58
SHARES
Hide
Show
Close
AddThis