February 20, 2024 at 04:37AM
Summary:
Earth Preta’s APT campaign, employing a customized PlugX malware named DOPLUGS, targeted Asian countries, including Taiwan and Vietnam. Phishing emails embedded with Google Drive links were used as initial access, executing DOPLUGS malware. The DOPLUGS variant was found to integrate the KillSomeOne module for malware distribution and USB infection.
Based on the meeting notes, here are the key takeaways:
1. The Earth Preta campaign, also known as Mustang Panda and Bronze President, has been actively using a variant of the DOPLUGS malware to target Asian countries, primarily Taiwan, Vietnam, and Mongolia.
2. The campaign involved spear-phishing emails embedded with Google Drive links hosting a password-protected archive file, which would download the DOPLUGS malware when accessed by the victim.
3. Noteworthy samples of DOPLUGS files reveal that the victims targeted by these specific samples were from Taiwan and Mongolia, with decoy files related to current events, such as the Taiwanese presidential election in January 2024.
4. The DOPLUGS malware has backdoor commands designed for various functionalities, including the ability to download the general type of the PlugX malware, integrate with the KillSomeOne module for USB worm behavior, and delete persistence.
5. Based on the investigation, the Earth Preta group seems to prioritize targeting government entities within the Asia-Pacific region and Europe. The group remains highly active and continues to refine its tools, adding new functionalities and features to its malware.
6. The MITRE ATT&CK framework was used to analyze the tactics, techniques, and procedures associated with the Earth Preta campaign, providing insights into various stages of the attack lifecycle.
If you need further details or clarifications, feel free to ask!