Date: 09/10/2024
Severity: Critical
Summary
Earth Preta has enhanced its attacks by using a variant of the HIUPAN worm to spread PUBLOAD. It has also deployed tools like FDMTP and PTSOCKET to expand its control and data exfiltration abilities. Additionally, spear-phishing emails with multi-stage downloaders such as DOWNBAIT and PULLBAIT have facilitated further malware installations. These attacks are highly targeted and time-sensitive, focusing on specific countries and sectors within the APAC region for swift deployment and data extraction.
IOC list:
Domains/URLs | www.ynsins.com www.aihkstore.com www.bcller.com |
IP Address | 103.15.29.17 154.90.32.88 47.76.87.55 154.90.32.88 47.253.106.177 16.162.188.93 18.163.112.181 |
Hash |
56cb16589ab852de4900496ef74212c17902867e90253b4d9d7f335ef7d45a7b
565fa2992212c89bdec334c0fd318b3fd2c91707431fd8186016f11645925892
df0e16a29c9dffe2ff7b3d4c957af7459fd7e6fa8026d067202912b997773749
f452b787e47493e89078e884bf92c61626e6ff4b9bc8eee8ae3728ddc65b7e46
ee986beeb058ec27d0dad9a0a671bbabaa56057102faf30f63397bdbe7fca81f
a062fafaff556b17a5ccb035c8c7b9d2015722d86a186b6b186a9c63eeb4308a
2e44ebe8d864ae19446d0853c51e471489c0893fc5ae2e042c01c7f232d2a2c2
3514d2e74b476e1569bbf3311934809c6f8e97df5c9669a5fe475e508886df9f
24a850f15a023f59389bf8fd1c33796cf3a5d8d08f77dda049d1c978a1825dde
d1492101eb450f0e9badaea254e5551b49297fa4a98c53c939bb96bafd2151fe
586632c8bb5890c760efc21662105e649177deaf2b2c2eef3ede1da088f23a6c
68bec53e4772eee6c13278a471d669b916cdc797c81d128ee103ee90841fa19e
c2bed145cf09022ee6a378dc5e9b3ae49b7c95a6551fa7310a1d997f93f6e2d1
756b9d6f50bd56adca1fa3d48ff07edf8ee3cc568fb32cbdd892403670343b43
107ba73ae05ec6ba6d814665923191f14757015557eeeff16206cc957da29be3
c662f5c851314d952cf3594232a7db5b96cb528716cd71bf38393b647cfd4c82
f452b787e47493e89078e884bf92c61626e6ff4b9bc8eee8ae3728ddc65b7e46
565fa2992212c89bdec334c0fd318b3fd2c91707431fd8186016f11645925892
3278c06b5510edabb3318aa1892eb7e426e97946b86eea925965a46ba1725ebd |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "www.aihkstore.com" or url like "www.aihkstore.com" or userdomainname like "www.ynsins.com" or url like "www.ynsins.com" or userdomainname like "www.bcller.com" or url like "www.bcller.com" |
Detection Query 2 | dstipaddress IN ("16.162.188.93","154.90.32.88","103.15.29.17","47.76.87.55","47.253.106.177","18.163.112.181") or ipaddress IN ("16.162.188.93","154.90.32.88","103.15.29.17","47.76.87.55","47.253.106.177","18.163.112.181") or publicipaddress IN ("16.162.188.93","154.90.32.88","103.15.29.17","47.76.87.55","47.253.106.177","18.163.112.181") or srcipaddress IN ("16.162.188.93","154.90.32.88","103.15.29.17","47.76.87.55","47.253.106.177","18.163.112.181") |
Detection Query 3 |
sha256hash IN ("56cb16589ab852de4900496ef74212c17902867e90253b4d9d7f335ef7d45a7b","565fa2992212c89bdec334c0fd318b3fd2c91707431fd8186016f11645925892","df0e16a29c9dffe2ff7b3d4c957af7459fd7e6fa8026d067202912b997773749","f452b787e47493e89078e884bf92c61626e6ff4b9bc8eee8ae3728ddc65b7e46","ee986beeb058ec27d0dad9a0a671bbabaa56057102faf30f63397bdbe7fca81f","a062fafaff556b17a5ccb035c8c7b9d2015722d86a186b6b186a9c63eeb4308a","2e44ebe8d864ae19446d0853c51e471489c0893fc5ae2e042c01c7f232d2a2c2","3514d2e74b476e1569bbf3311934809c6f8e97df5c9669a5fe475e508886df9f","24a850f15a023f59389bf8fd1c33796cf3a5d8d08f77dda049d1c978a1825dde","d1492101eb450f0e9badaea254e5551b49297fa4a98c53c939bb96bafd2151fe","586632c8bb5890c760efc21662105e649177deaf2b2c2eef3ede1da088f23a6c","68bec53e4772eee6c13278a471d669b916cdc797c81d128ee103ee90841fa19e","c2bed145cf09022ee6a378dc5e9b3ae49b7c95a6551fa7310a1d997f93f6e2d1","756b9d6f50bd56adca1fa3d48ff07edf8ee3cc568fb32cbdd892403670343b43","107ba73ae05ec6ba6d814665923191f14757015557eeeff16206cc957da29be3","c662f5c851314d952cf3594232a7db5b96cb528716cd71bf38393b647cfd4c82","f452b787e47493e89078e884bf92c61626e6ff4b9bc8eee8ae3728ddc65b7e46","565fa2992212c89bdec334c0fd318b3fd2c91707431fd8186016f11645925892","3278c06b5510edabb3318aa1892eb7e426e97946b86eea925965a46ba1725ebd") |
Reference:
https://www.trendmicro.com/en_us/research/24/i/earth-preta-new-malware-and-strategies.html