A. Nature of the Attack
The campaign uses fake Google accounts to distribute the malware via spear-phishing emails that are stored on Google Drive.
Throughout the campaign, the Trend Micro research team observed two new malware families used by the groups (TONEINS and TONESHELL), including PUBLOAD, a malware that was previously reported by Cisco Talos.
A stager that can download the next-stage payload from its command-and-control (C&C) server. This malware was first disclosed by Cisco Talos in May 2022.
A first stage malware that will install the TONESHELL backdoor and establish the persistence for it.
The main backdoor used in this campaign. It is a shellcode loader that loads and decodes the backdoor shellcode with a 32-byte key in memory.
B. Indicators of CompromiseList of Indicators of Compromise can be viewed on the link below.
- List of IoCs from Trend Micro: < https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/k/earth-preta-spear-phishing-governments-worldwide/IOCs-earth-preta-spear-phishing-since-march.txt.>
C. Actions to be Taken
CERT-PH recommends the following actions be taken:
- Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
- Regularly check and apply the latest patch of software, especially to public-facing applications.
- In addition, providing and capacitating employees with cybersecurity knowledge and information to minimize threat.
- For additional information, kindly refer to the official report