Chinese state-sponsored threat actor, Mustang Panda, has been observed utilizing a novel technique to evade detection and maintain control over infected systems, according to a new analysis by Trend Micro.
This technique involves the use of a legitimate Microsoft Windows utility, Microsoft Application Virtualization Injector (MAVInject.exe), to inject the threat actor’s malicious payload into an external process, waitfor.exe, whenever the ESET antivirus application is detected running.
Security researchers Nathaniel Morales and Nick Dai noted, “The attack involves dropping multiple files, including legitimate executables and malicious components, and deploying a decoy PDF to distract the victim.”
Additionally, Earth Preta utilizes Setup Factory, an installer builder for Windows software, to drop and execute the payload, enabling them to evade detection and maintain persistence in compromised systems.
The attack sequence begins with an executable (“IRSetup.exe”) that serves as a dropper for several files, including a lure document designed to target Thailand-based users, suggesting the possibility of spear-phishing emails being used to single out victims.
The binary then proceeds to execute a legitimate Electronic Arts (EA) application (“OriginLegacyCLI.exe”) to sideload a rogue DLL named “EACore.dll”, a modified version of the TONESHELL backdoor attributed to the hacking crew.
The malware checks if two processes associated with ESET antivirus applications are running on the compromised host and, if so, executes “waitfor.exe” and uses “MAVInject.exe” to run the malware without getting flagged by it.
Researchers explained, “MAVInject.exe is used to inject the malicious code into the process, allowing the malware to bypass ESET detection. It is possible that Earth Preta used MAVInject.exe after testing the execution of their attack on machines that used ESET software.”
The malware ultimately decrypts the embedded shellcode, allowing it to establish connections with a remote server to receive commands for establishing a reverse shell, moving files, and deleting files.
Researchers noted, “Earth Preta’s malware, a variant of the TONESHELL backdoor, is sideloaded with a legitimate Electronic Arts application and communicates with a command-and-control server for data exfiltration.”
