MANILA, Philippines – Cybersecurity firm Trend Micro on Friday, November 18, announced that they have uncovered a global spear-phishing campaign by a China-based threat actor, with a higher focus on Asia Pacific countries including to Myanmar, Australia, the Philippines, Japan, and Taiwan. 

Spear-phishing is a more targeted form of phishing. Trend Micro, in its definition of the term, said, “While phishing tactics may rely on shotgun methods that deliver mass emails to random individuals, spear phishing focuses on specific targets and involves prior research.” 

Like the usual phishing attack, it often includes an email and a malicious attachment that can steal data or take control of a computer or computer network, among other things. Spear-phishing is more precise because as the firm explains, “The email includes information specific to the target, including the target’s name and rank within the company. This social engineering tactic boosts the chances that the victim will carry out all the actions necessary for infection, including opening the email and the included attachment.”

Trend Micro identified the threat actor Earth Preta as the culprit in these latest attacks, a group also known as Mustang Panda or Bronze President. The attacks were observed between March and October 2022, targeting primarily governments, but also research, and academic organizations. Emails were sent to targets that included a Google Drive link, which led to the malicious files. 

Government offices worldwide with collaborative work in Myanmar were mentioned as some of the primary targets. The emails often contained decoy documents written in Burmese that are made to look confidential in nature. “Most of the topics in the documents are controversial issues between countries and contain words like ‘Secret’ or ‘Confidential.’  These could indicate that the attackers are targeting Myanmar government entities as their first entry point,” Trend Micro wrote.

One of the documents shown by Trend Micro were the minutes of a supposed “9th Thailand-Myanmar Senior Staff Talks” labeled “secret” at the top, which the firm said may have been stolen in a previous hack. 

Apart from confidential-looking documents, the use of sensational subjects and porn were also used in the campaign. 

Some of the malware senders might be compromised email accounts from a specific organization, the company said. “Victims might be convinced that these mails were sent from trusted partners, increasing the chances that recipients will select the malicious links.”

Another way that the attackers are evading detection is by putting the target’s email in the “CC” bar rather than the usual “To” bar in the email. This allows the attackers to evade security analysis and slow down detection, the company said. 

As more victims open compromised emails from trusted partner organizations, the cycle may continue and more documents may be stolen, with the newly stolen documents being used as new lures, thus continuing the infection chain.

Trend Micro explained, “Based on our analysis, once the group has infiltrated a targeted victim’s systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions. This strategy largely broadens the affected scope in the region involved.”

The firm warned, “Recent research papers show that [Earth Preta] is constantly updating its toolsets and indicate that it is further expanding its capabilities.” 

Australia-based cybersecurity firm Bugcrowd, said on its page about the threat group Earth Preta or Mustang Panda, that the group has “at times, seemed to take a particular interest in targeting the government of Myanmar and has done so repeatedly since about 2019.”

“This threat actor has targeted organizations worldwide since approximately 2012,” Bugcrowd said. Aside from Asian countries, the company said “These targets have included European organizations such as government agencies and religious organizations. American organizations have also been targeted, along with religious organizations. Threat researchers purported that Mustang Panda even targeted Catholic organizations within the Vatican.”

Trend Micro advised: “As part of organizational mitigation plans, we recommend implementing continuous phishing awareness trainings for partners and employees. We advise always checking the sender and the subject twice before opening an email, especially with an unidentifiable sender or an unknown subject. We also recommend a multi-layered protection solution to detect and block threats as far left to the malware infection chain as possible.”

The company has a technical explanation of the malware here including screenshots of the sample documents being circulated in the campaign. – Rappler.com