Friday, November 18th, Trend Micro revealed that they had found a worldwide spear-phishing effort conducted by a China-based threat actor, with a particular focus on Asia Pacific nations including Myanmar, Australia, the Philippines, Japan, and Taiwan.
Spear-phishing is a sort of phishing that is highly targeted. According to Trend Micro’s definition, whereas phishing strategies may rely on technologies that transmit mass emails to random persons, spear phishing focuses on targeted targets and requires previous investigation.
As with the typical phishing assault, it often involves an email and a malicious attachment that can, among other things, steal data or take control of a computer or computer network. Spear-phishing is more exact because, as the corporation says, “The email contains information relevant to the target, such as the target’s name and position within the organization. This social engineering technique increases the likelihood that the victim will perform all activities required for infection, including opening the email and the attached file.”
Earth Preta, also known as Mustang Panda or Bronze President, has been recognized by Trend Micro as the perpetrator behind these most recent attacks. The assaults occurred between March and October of 2022 and predominantly targeted governments, as well as research and academic institutions. Targets were given emails including a Google Drive link that lead to the infected files.
Among the key objectives listed were international government agencies with joint operations in Myanmar. Frequently, the emails contained bogus Burmese papers designed to seem to be of a secret nature. “The majority of the themes in the documents are contentious problems between nations and feature phrases such as ‘Secret’ and ‘Confidential.'” These indicators may suggest that the attackers are targeting Myanmar government institutions as their initial point of entry,” Trend Micro observed.
One of the papers displayed by Trend Micro was the “9th Thailand-Myanmar Senior Staff Talks” minutes marked “secret” at the top, which the company speculated may have been taken in a prior breach.
In addition to confidential-looking papers, the campaign also utilized sensational themes and porn.
The business stated that some of the virus senders may be hacked email accounts from a particular corporation. “Recipients are more likely to click on the malicious links if they believe that these e-mails originated from reputable sources.”
The attackers further evade detection by placing the target’s email address in the “CC” box of the email rather than the “To” bar. According to the business, this allows attackers to circumvent security assessments and slow down detection.
As other victims read infected emails from trusted partner businesses, the cycle may continue and more documents may be stolen; the freshly stolen papers may then be used as new lures, so perpetuating the infection chain.
Trend Micro noted, “According to our investigation, after the organization has infiltrated the systems of a targeted victim, the sensitive papers obtained can be repurposed as entry vectors for the following wave of attacks. This method significantly expands the extent of the impacted region.”
“Recent research articles indicate that [Earth Preta] is always improving its toolkits and increasing its capabilities,” the company cautioned.
On its website regarding the threat group Earth Preta or Mustang Panda, Australia-based cybersecurity firm Bugcrowd stated that the group “has regularly targeted the government of Myanmar since approximately 2019.”
Since about 2012, this threat actor has targeted companies globally, according to Bugcrowd. In addition to Asian nations, the corporation stated, “These targets have included European government bodies and religious organizations.” In addition to religious institutions, American organizations have been attacked. According to threat analysts, Mustang Panda even targeted Vatican Catholic groups.
Trend Micro said, “As part of organizational mitigation strategy, we advocate performing continuous phishing awareness training for partners and workers. We recommend constantly double-checking the sender and topic before opening an email, especially if the sender or subject are unfamiliar. We also advocate a multilayered security solution to detect and prevent attacks as early as feasible in the malware infection chain.”
Here, the business provides a technical explanation of the virus, along with screenshots of the sample papers that are being distributed as part of the campaign.