Keypoints
- Earth Preta expanded 2023 campaigns using MIROGO (Go backdoor), QMAGENT (MQTT-based backdoor), and a new dropper named TONEDROP that installs TONEINS and TONESHELL.
- TONEDROP embeds XOR-encrypted payloads, checks for analysis tools/environment, decrypts files to %USERPROFILE% paths, uses DLL sideloading via WaveeditNero.exe, and creates a scheduled task for persistence.
- TONESHELL variant D implements a custom C2 packet (magic 17 03 03, size, encrypted payload), first-handshake includes a 0x200-byte xor_key and a CoCreateGuid-generated victim_id stored in AppData roaming config.
- QMAGENT uses the MQTT protocol (unauthenticated, unencrypted topic iot/server0) allowing monitoring of victim connections and revealing sandbox timeouts; MIROGO uses HTTP and password-protected archives (Note-2.7z).
- The infrastructure uses fake Google Drive pages, obfuscated JavaScript (jQuery.min.js) to fetch archives (Documents.rar / Note-1.rar), and web servers (app.py) that serve payloads conditionally by User-Agent and log victim access in /static.
- Open directories exposed scripts and files (app.py, client.py, fw.sh, blacklist.txt, logging files) that show firewall rules to block scanners, hard-coded webchat credentials, and patterns mapping URL paths to target country codes.
- Trend Micro published full IOCs and an appendix with collected download links and logged access records; many download sites reuse IPs/domains and predictable URL patterns.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Link – Earth Preta used spear-phishing emails with Google Drive or fake-Google-Drive links to deliver archives (“delivered through a phishing email embedded with a Google Drive link”).
- [T1204.002] User Execution: Malicious File – Victims were induced to extract password-protected archives (Note-2.7z / Documents.rar) and execute embedded binaries (“the archive named Note-2.7z…the password provided in the email’s body”).
- [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking – The dropper sideloads a malicious DLL via a legitimate executable (WaveeditNero.exe sideloads waveedit.dll) to load payloads (“WaveeditNero.exe will sideload waveedit.dll”).
- [T1497] Virtualization/Sandbox Evasion – The dropper checks for analysis/debugging tools and running processes/windows and aborts if detected (“it will check the running processes and windows if they are related to malware analysis tools”).
- [T1053.005] Scheduled Task/Job – TONEDROP creates a scheduled task to run the sideloaded executable for persistence (“TONEDROP will set up a scheduled task for the process C:userspublicdocumentsWinDbg(X64).exe”).
- [T1071.001] Application Layer Protocol: Web Protocols – C2 communication used HTTP and custom packet framing; MIROGO used HTTP while QMAGENT used MQTT for C2 (“QMAGENT … leverages the MQTT protocol”; “MIROGO … delivered through a phishing email embedded with a Google Drive link”).
- [T1027] Obfuscated Files or Information – The download pages used obfuscated JavaScript to hide malicious URLs and payloads (“the threat actor obfuscated the malicious URL script with another piece of JavaScript”).
- [T1562.001] Impair Defenses: Disable or Modify Tools – The server-side fw.sh and blacklist.txt block known scanners and security providers to reduce discovery (“uses the script file fw.sh to block incoming connections from specific IP addresses… to prevent the site from being scanned and analyzed”).
Indicators of Compromise
- [Domain/IPs] Download sites and C2 hosting – rewards.roshan.af, 80.85.156.232, 80.85.156.240, 80.85.156.151, 103.159.132.91
- [Subdomains/domains] Redirects and scripts – myanmarfreedomwork.org (Js/jQuery.min.js), johnsimde.xyz (sa2il.johnsimde.xyz, iot.johnsimde.xyz) and similar hosts
- [File names/archives] Malicious archives and droppers – Documents.rar, Note-1.rar, Note-2.7z, WaveeditNero.exe, waveedit.dll, Document.rar (and other archived payloads)
- [Malware names] Observed toolset – TONEDROP (dropper), TONESHELL (backdoor, variant D), TONEINS, MIROGO (TinyNote), QMAGENT (MQsTTang)
- [Paths/URLs] Malicious URL patterns – /aspnet_client/View.htm, /aspnet_client/gdrive.htm, /aspnet_client/acv.htm, /fav/xxxx, /f/xx (used to target country codes)
- [Config/file path] Stored victim identifier – %USERPROFILE%AppDataRoamingMicrosoftWeb.Facebook.config (stores victim_id)
Earth Preta’s 2023 technical workflow centers on tailored delivery chains and a small private toolset. MIROGO samples were distributed via spear-phish with password-protected Note-2.7z archives; extracting the archive yields an executable masquerading as government correspondence. QMAGENT leverages MQTT as an unauthenticated transport for C2, allowing researchers to subscribe and observe victim “Alive” times; both MIROGO and QMAGENT share similar C2 response structures despite using different transport protocols. TONEDROP functions as a dropper: it checks for a compromise marker (C:ProgramDataLuaJIT) and analysis artifacts, aborts if analysis is detected, then XOR-decrypts embedded files to user-public paths.
TONEDROP’s installation sequence drops WaveeditNero.exe (legitimate binary) and waveedit.dll (malicious), decrypts two fake PDF blobs into WinDbg(X64).exe and libvlc.dll, and configures a scheduled task to run WinDbg(X64).exe which sideloads libvlc.dll. The in-memory payload is constructed and executed using EnumDisplayMonitors callbacks. TONESHELL variant D uses a custom C2 packet: 0x03 magic (17 03 03), a 2-byte size, and an encrypted payload; the initial handshake sends a 0x221-byte buffer containing a 0x200 xor_key, a type (0x08), a CoCreateGuid victim_id and a GetTickCount-derived xor_key_seed, with victim_id persisted to AppData roaming config. Command codes include file write, execute commands, collect info, and file delete behaviors.
The attacker infrastructure relied on fake Google Drive pages and obfuscated JavaScript (jQuery.min.js) to fetch Documents.rar/Note-1.rar from hosts like rewards.roshan.af and various IPs. The backend (app.py) serves payloads conditionally based on User-Agent (e.g., Windows NT 10/6) and logs every source IP, header, and requested URL into /static, exposing victim country mapping via signature image requests. The server also contains fw.sh and blacklist.txt to block known crawlers and security providers, a webchat with hard-coded creds (john:john, tom:tom), and accessible open directories that revealed templates, client.py (WebSocket messaging), and logging files used to correlate targets and infer campaign scope.