FDMTP (Dropper) – Malware

Overview

FDMTP is a relatively recent addition to the arsenal of tools used by the Earth Preta threat group, marking a significant evolution in their malware strategies. Unlike traditional malware, FDMTP serves as a specialized downloader, facilitating the delivery of additional malicious payloads to compromised systems. This malware operates using the TouchSocket framework over the Duplex Message Transport Protocol (DMTP), a structure that allows it to maintain efficient and secure communication with the attackers’ command-and-control (C2) infrastructure. FDMTP’s main function is to silently download and execute other tools and malware, enabling Earth Preta to expand its foothold within a compromised network and carry out further malicious actions.

One of the key characteristics of FDMTP is its use in DLL side-loading techniques. This method involves embedding the malware into the data section of a legitimate DLL file, which is then executed through the compromised system’s processes. By using DLL side-loading, FDMTP can bypass traditional security measures and evade detection by antivirus software. The malware operates in the background, remaining inconspicuous while silently executing its payload, which could range from additional malware downloads to data exfiltration tasks, depending on the attacker’s goals. This technique allows Earth Preta to exploit the trusted environment of the system, making it more difficult for defenders to detect and neutralize the threat.

Targets

Information

How they operate

FDMTP operates by embedding itself within the data section of a Dynamic Link Library (DLL) file, leveraging the DLL side-loading technique to execute its payload. DLL side-loading is an effective method for evading detection, as the malware is loaded within the legitimate process of the system. When the compromised DLL is executed, FDMTP is triggered, allowing it to operate without raising alarms in most antivirus solutions. This form of malware deployment is particularly insidious, as it uses a legitimate, trusted system file to hide its malicious functionality, thus avoiding typical file-based detection methods that are focused on identifying standalone executable files.

Upon execution, FDMTP begins its primary task: establishing a secure communication channel with the attacker’s command-and-control (C2) server. To do so, it utilizes DMTP, which is a robust and efficient protocol designed to handle bi-directional communications between the malware and the C2 infrastructure. Through DMTP, FDMTP can receive instructions, download additional payloads, and send exfiltrated data back to the attackers. This communication is typically encrypted to prevent detection or interception. The malware’s communication layer is further protected by encoding its network configurations using Base64 and Data Encryption Standard (DES). These encryption techniques obscure the parameters and details of the C2 communications, making it significantly more challenging for cybersecurity professionals to decode and trace the malware’s activities.

In terms of its capabilities, FDMTP can download a variety of secondary payloads, which can include additional malware or tools for post-exploitation. These payloads may range from keyloggers, backdoors, or even more advanced malware like ransomware or data exfiltration tools. The malware downloader operates silently, without triggering obvious alerts or noticeable system performance degradation, ensuring that the attacker’s activities remain under the radar. FDMTP’s ability to download and execute secondary payloads allows Earth Preta to carry out targeted attacks with maximum flexibility, customizing the type and severity of the malware based on the specific goals of the operation.

FDMTP’s evasion tactics are especially noteworthy, as it uses several layers of defense to avoid detection and analysis. By embedding its network configuration in encrypted formats, using DLL side-loading, and leveraging a highly secure communication protocol, FDMTP remains stealthy, making it difficult to analyze in-depth using traditional security tools. For security analysts and incident responders, identifying FDMTP requires a deep understanding of its obfuscation techniques and the ability to detect subtle changes in system behavior, such as unusual DLL executions or encrypted outbound traffic. As Earth Preta continues to refine its malware arsenal, understanding how FDMTP operates on a technical level is crucial for developing effective countermeasures and defending against these increasingly sophisticated attack methods.

Ultimately, FDMTP plays a critical role in the broader Earth Preta attack chain. It enables the delivery of additional malicious tools and facilitates the ongoing exploitation of compromised systems. Its stealthy nature, ability to download additional payloads, and use of encrypted communication make it a formidable component in Earth Preta’s arsenal. Understanding how FDMTP works is vital for organizations aiming to bolster their defenses against advanced persistent threats (APTs) and ensuring that their cybersecurity measures are capable of detecting and mitigating such sophisticated malware.

References

• Earth Preta Evolves its Attacks with New Malware and Strategies