The Chinese state-sponsored threat actor known as Mustang Panda has been observed employing a novel technique to evade detection and maintain control over infected systems.
This involves the use of a legitimate Microsoft Windows utility called Microsoft Application Virtualization Injector (MAVInject.exe) to inject the threat actor’s malicious payload into an external process, waitfor.exe, whenever ESET antivirus application is detected running, Trend Micro said in a new analysis.
“The attack involves dropping multiple files, including legitimate executables and malicious components, and deploying a decoy PDF to distract the victim,” security researchers Nathaniel Morales and Nick Dai noted.
“Additionally, Earth Preta utilizes Setup Factory, an installer builder for Windows software, to drop and execute the payload; this enables them to evade detection and maintain persistence in compromised systems.”
The starting point of the attack sequence is an executable (“IRSetup.exe”) that serves as a dropper for several files, including the lure document that’s designed to target Thailand-based users. This alludes to the possibility that the attacks may have involved the use of spear-phishing emails to single out victims.
The binary then proceeds to execute a legitimate Electronic Arts (EA) application (“OriginLegacyCLI.exe”) to sideload a rogue DLL named “EACore.dll” that’s a modified version of the TONESHELL backdoor attributed to the hacking crew.
Core the malware’s function is a check to determine if two processes associated with ESET antivirus applications — “ekrn.exe” or “egui.exe” — are running on the compromised host, and if so, execute “waitfor.exe” and then use “MAVInject.exe” in order to run the malware without getting flagged by it.
“MAVInject.exe, which is capable of proxy execution of malicious code by injecting to a running process as a means of bypassing ESET detection, is then used to inject the malicious code into it,” the researchers explained. “It is possible that Earth Preta used MAVInject.exe after testing the execution of their attack on machines that used ESET software.”
The malware ultimately decrypts the embedded shellcode that allows it to establish connections with a remote server (“www.militarytc[.]com:443”) to receive commands for establishing a reverse shell, moving files, and deleting files.
“Earth Preta’s malware, a variant of the TONESHELL backdoor, is sideloaded with a legitimate Electronic Arts application and communicates with a command-and-control server for data exfiltration,” the researchers said.