Researchers from Trend Micro’s Threat Hunting team have uncovered a sophisticated attack campaign by the advanced persistent threat (APT) group Earth Preta, also known as Mustang Panda.
This group is employing the Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious payloads into legitimate processes, enabling them to bypass antivirus detection and maintain control over compromised systems.
The campaign primarily targets government entities in the Asia-Pacific region, including countries like Taiwan, Vietnam, and Malaysia.
Exploiting MAVInject for Payload Injection
Earth Preta’s attack methodology involves leveraging MAVInject.exe, a legitimate Windows utility designed to inject code into external processes.
This tool is exploited to inject malicious payloads into waitfor.exe, a Windows utility used for network communication.
The injection occurs when ESET antivirus software is detected running on the victim’s system.
By using MAVInject, Earth Preta effectively masks malicious activity under the guise of legitimate processes, complicating detection efforts.
The group also employs Setup Factory, a Windows installer builder, to drop and execute payloads.
This approach allows them to evade security measures while ensuring persistence on infected systems.
The initial attack chain begins with the execution of a malicious file (IRSetup.exe), which drops multiple files into the system directory.
These include both legitimate executables and malicious components.
Decoy Tactics and Backdoor Deployment
To distract victims during the attack, Earth Preta deploys a decoy PDF file designed to appear as an official document.
For example, one decoy targeted Thailand-based users by requesting cooperation in creating a whitelist of phone numbers for an anti-crime platform.
While the victim interacts with the decoy document, the malicious payload is silently deployed in the background.
The malware also utilizes OriginLegacyCLI.exe, a legitimate Electronic Arts application, to sideload EACore.dll, a variant of the TONESHELL backdoor.
This backdoor enables communication with a command-and-control (C&C) server for data exfiltration and further exploitation.
Earth Preta’s malware demonstrates advanced evasion capabilities. When ESET antivirus processes (ekrn.exe or egui.exe) are detected, the malware uses MAVInject to inject its payload into waitfor.exe.
If no antivirus is detected, it directly injects code using Windows APIs such as WriteProcessMemory and CreateRemoteThreadEx.
The malware communicates with its C&C server via encrypted shellcode and generates unique victim identifiers stored locally for persistence.
It supports various commands, including file deletion, reverse shell creation, and data movement.
Trend Micro attributes this campaign to Earth Preta with medium confidence based on similarities with previous attacks and shared infrastructure.
The group has been active since 2022 and has targeted over 200 victims using spear-phishing emails as their primary attack vector.
Organizations are advised to enhance monitoring capabilities by focusing on unusual activities in legitimate processes like MAVInject.exe.
Security teams should consider disabling or restricting MAVInject if not required and employ advanced endpoint detection solutions to identify anomalies in process behavior.
This discovery underscores the evolving sophistication of APT groups like Earth Preta and highlights the need for robust cybersecurity measures to counter their tactics.
%20group%20Earth%20Preta.){kind=link}