
A recent campaign undertaken by Earth Preta indicates that nation-state groups aligned with China are getting increasingly proficient at bypassing security solutions. The threat actor, active since at least 2012, is tracked by the broader cybersecurity community under Bronze President, HoneyMyte, Mustang Panda, RedDelta, and Red Lich. Attack chains mounted by the group commence with a spear-phishing email to deploy a wide range of tools for backdoor access, command-and-control (C2), and data exfiltration. These messages come bearing with malicious lure archives distributed via Dropbox or Google Drive links that employ DLL side-loading, LNK shortcut files, and fake file extensions as arrival vectors to obtain a foothold and drop backdoors like TONEINS, TONESHELL, PUBLOAD, and MQsTTang (aka QMAGENT). Similar infection chains utilizing Google Drive links have been observed delivering Cobalt Strike as early as April 2021. According to Trend Micro, "Earth Preta tends to hide malicious payloads in fake files, disguising them as legitimate ones — a technique that has been proven effective for avoiding detection." This entry point method, which was first spotted late last year, has since received a slight tweak wherein the download link to the archive is embedded within another decoy document and the file is password-protected in an attempt to sidestep email gateway solutions. The group's use of Google Drive links is especially concerning as it allows for a more seamless infection process. Once a user clicks on the link, they are taken to a Google Drive page where they are prompted to download the file. However, what the user doesn't realize is that by doing so, they are also downloading a malicious payload. This method has been used by the group to deliver Cobalt Strike, a powerful tool that allows for remote access to a system, as early as April 2021. While Earth Preta's methods are constantly evolving, one thing remains the same: their focus on using spear-phishing emails to deploy a wide range of tools for backdoor access, command-and-control (C2), and data exfiltration. This makes it all the more important for individuals and organizations to be aware of the threat and to take steps to protect themselves. Some recommendations for doing so include being suspicious of unsolicited emails, especially those that contain attachments or links, and avoiding clicking on links or opening attachments from unknown senders. Additionally, organizations should make sure that their security solutions are up-to-date and that their employees are trained on cybersecurity best practices.