Researchers from Trend Micro’s Threat Hunting team have uncovered a sophisticated cyberattack campaign by the advanced persistent threat (APT) group Earth Preta, also known as Mustang Panda.
The group has been leveraging new techniques to infiltrate systems and evade detection, primarily targeting government entities in the Asia-Pacific region, including Taiwan, Vietnam, Malaysia, and Thailand.
Earth Preta employs a combination of spear-phishing emails and advanced malware to compromise windows systems.
The group uses the Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious payloads into legitimate Windows processes, such as waitfor.exe, particularly when ESET antivirus software is detected.
This approach allows them to bypass security measures and maintain persistence on infected systems.
The attack chain begins with the execution of a malicious file (IRSetup.exe), which drops multiple filesnboth legitimate executables and malicious components into the system.
To distract victims, the attackers deploy a decoy PDF that appears to be an official document, such as one requesting cooperation on an anti-crime platform allegedly supported by government agencies.
Malware Analysis
The core of Earth Preta’s operation involves a modified variant of the TONESHELL backdoor malware.
This backdoor is sideloaded using OriginLegacyCLI.exe, a legitimate Electronic Arts (EA) application, along with a malicious DLL (EACore.dll).
The malware communicates with a command-and-control (C&C) server at www[.]militarytc[.]com:443 for data exfiltration and remote operations.
Key capabilities of the malware include:
- Reverse shell access
- File deletion and movement
- Persistent storage of victim identifiers for future exploitation
The malware also adapts its behavior based on the presence of ESET antivirus software.
If detected, it uses MAVInject.exe to inject code into running processes; otherwise, it employs alternative techniques like WriteProcessMemory and CreateRemoteThreadEx APIs for code injection.
Trend Micro attributes this campaign to Earth Preta with medium confidence based on shared tactics, techniques, and procedures (TTPs) observed in previous campaigns.
The group has been active since at least 2022 and has reportedly compromised over 200 victims during this period.
Their operations are characterized by their focus on government entities and their reliance on phishing as an initial attack vector.
This campaign underscores the evolving sophistication of APT groups like Earth Preta. By combining legitimate tools with custom malware, they can evade detection and infiltrate high-value targets.
Organizations in the Asia-Pacific region are particularly at risk and should remain vigilant against phishing attempts and ensure robust endpoint protection measures are in place.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free