Skip to content

Researchers Uncover Chinese Nation State Hackers’ Deceptive Attack Strategies

Researchers Uncover Chinese Nation State Hackers’ Deceptive Attack Strategies

Mar 24, 2023 was marked as a day of increased cyber threats, with Earth Preta launching its campaign of spear-phishing emails and malicious lures to deploy a wide range of tools for backdoor access, command-and-control (C2), and data exfiltration. Earth Preta disguises malicious payloads in fake files to avoid detection, and have been observed delivering Cobalt Strike as early as April 2021. Initial access to the victim’s environment is followed by account discovery and privilege escalation phases, with Mustang Panda leveraging custom tools like ABPASS and CCPASS to circumvent User Account Control (UAC) in Windows 10. Additionally, the threat actor has been observed deploying malware such as “USB Driver.exe” (HIUPAN or MISTCLOAK) and “rzlog4cpp.dll” (ACNSHELL or BLUEHAZE) to install themselves to removable disks and create a reverse shell with the goal of laterally moving across the network. They also employ NUPAKAGE and ZPAKAGE, both of which are equipped to collect Microsoft Office files.

The findings of Mar 24, 2023 again highlighted the increased operational tempo of Chinese cyber espionage actors and their consistent investment in advancing their cyber weaponry to evade detection. Earth Preta is a capable and organized threat actor that is continuously honing its TTPs, strengthening its development capabilities, and building a versatile arsenal of tools and malware. It is important for organizations to be mindful of the risks associated with third-party app access to their company’s SaaS apps, and to minimize the risk by understanding the types of permissions being granted.

In conclusion, Mar 24, 2023 was a day of increased cyber threats, with Earth Preta launching its campaign of spear-phishing emails and malicious lures. The threat actor is continuing to hone its TTPs and building a versatile arsenal of tools and malware to evade detection. Organizations must be aware of the risks associated with third-party app access to their company’s SaaS apps, and take the necessary steps to minimize the risk.

Leave a Reply

Your email address will not be published. Required fields are marked *