Earth Preta APT Attack Detection: China-Linked APT Hits Asia with DOPLUGS Malware, a New PlugX Variant 

[post-views]
February 22, 2024 · 4 min read
Earth Preta APT Attack Detection: China-Linked APT Hits Asia with DOPLUGS Malware, a New PlugX Variant 

The nefarious China-backed Earth Preta APT also known as Mustang Panda has been targeting Asian countries in the long-lasting adversary campaign, which applied an advanced iteration of PlugX malware dubbed DOPLUGS. 

Detecting Earth Preta Attacks Using DOPLUGS Malware

The year 2023 has been marked by the escalating activity of APT collectives reflecting the influence of the existing geopolitical tensions on the cyber domain. This time, security experts report the China-affiliated Earth Prera APT turning its sight to the Asia-Pacific region, apart from European countries. To detect potential intrusions at the earliest stages of development and withstand escalating attacks, cyber defenders require innovative threat detection and hunting solutions. 

SOC Prime Platform aggregates a set of curated detection algorithms accompanied by advanced cybersecurity tooling to streamline threat hunting investigation and enable proactive cyber defense. Hit the Explore Detections button below to explore the list of Sigma rules for Earth Preta’s latest SMUGX campaign.

Explore Detections

All the rules are compatible with 28 SIEM, EDR, XDR, and Data Lake solutions and mapped to MITRE ATT&CK framework v14.1. Additionally, detections are enriched with relevant metadata, including attack timelines, CTI references, triage recommendations, and more.

Additionally, security professionals might explore a related Sigma rule below helping to identify SMUGX campaign behavior related to associated directories.

Suspicious SmugX Campaign Associated with RedDelta and Mustang Panda by Detecting of Associated Files (via file_event)

To dive into Earth Preta TTPs and explore the related detection stack, security professionals might follow this link for more information. Also, using this link, cyber defenders might find useful rules to identify PlugX attacks.

Earth Preta aka Mustang Panda Attack Analysis: Overview of the Campaign Leveraging DOPLUGS

In mid-summer 2023, Check Point researchers uncovered a new SMUGX adversary campaign targeting European countries that was linked to the Earth Preta (aka Mustang Panda or Bronze President) malicious activity. 

Trend Micro researchers further revealed a phishing email targeting the Taiwanese state body and containing a custom PlugX malicious strain, which was identical to the malware samples used in the SMUGX attacks against Europe. As it turned out, the persistent SMUGX campaign embraced not only Europe but also Taiwan and Vietnam being the primary targets, along with China, Japan, Malaysia, and other Asian countries.

The revealed sample of custom PlugX malware, which has been in the spotlight since 2022, was different from the common PlugX variant also known as Korplug that leveraged a completed backdoor command module. The upgraded PlugX iteration was called DOPLUGS and employed a USB worm known as the KillSomeOne module.

PlugX is a notorious RAT attributed to the offensive toolkits of multiple hacking collectives, including Mustang Panda. The group has been observed using PlugX as one of its staple tools in cyber operations. Mustang Panda APT has been active since at least 2012, although its activities gained more spotlight and came to light in the cybersecurity community around 2017. In addition to PlugX,  the group also leverages both legitimate and malicious software such as Cobalt Strike, China Chopper, ORat, and more tools. The group primarily targets entities in the Asia-Pacific region and Europe, particularly organizations related to the public sector, along with military, finance, and technology industry verticals. 

In the latest long-lasting campaign, Earth Preta actors take advantage of an advanced PlugX variant DOPLUGS, which is a harmful downloader designed to facilitate the installation and execution of malicious payloads, including PlugX malware. Since 2018, Earth Preta has consistently revised the backdoor command sets within PlugX, undergoing at least four generations of malware samples. For instance, in late March 2022, Mustang Panda deployed a novel variant of the PlugX RAT dubbed Hodur, targeting Ukrainian organizations and diplomatic missions across Europe.

The latest DOPLUGS iteration applies a novel tactic by exploiting a legitimate Adobe application to entice victims, with most of the samples sourced from Vietnam as per VirusTotal data. In this campaign, which is typical of the group’s adversary behavior, Earth Preta APT employs spear-phishing emails for initial access and takes advantage of Google Drive links with a password-protected archive that is designed to download DOPLUGS malware on the compromised systems. 

As the group continues to be active in Europe and Asia, it’s crucial for defenders to increase awareness and remain vigilant to protect against Earth Preta attacks of any scale and sophistication. Get started with Uncoder IO to assist you in writing detection code for emerging threats faster, translate it into multiple SIEM, EDR, and Data lake languages in an automated fashion, and instantly convert threat intel into custom IOC queries for streamlined retrospective IOC hunting.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts