Cyber Threats
Our Threat Hunting team discusses Earth Preta’s latest technique, in which the APT group leverages MAVInject and Setup Factory to deploy payloads, bypass ESET antivirus, and maintain control over compromised systems.
Read time: ( words)
Summary
- Researchers from Trend Micro’s Threat Hunting team discovered that Earth Preta, also known as Mustang Panda, uses the Microsoft Application Virtualization Injector to inject payloads into waitfor.exe whenever an ESET antivirus application is detected.
- They utilize Setup Factory to drop and execute the payloads for persistence and to avoid detection.
- The attack involves dropping multiple files, including genuine executables and harmful components, and deploying a decoy PDF to distract the victim.
- Earth Preta’s malware, a variant of the TONESHELL backdoor, is sideloaded with a legitimate Electronic Arts application and communicates with a command-and-control server for data exfiltration.
Trend Micro’s Threat Hunting team has come across a new technique employed by Earth Preta, also known as Mustang Panda. Earth Preta’s attacks have been known to focus on the Asia-Pacific region: More recently, one campaign used a variant of the DOPLUGS malware to target Taiwan, Vietnam, Malaysia, among other countries. The group, which favors phishing in their campaigns and tends to target government entities, has had over 200 victims since 2022.
This advanced persistent threat (APT) group has been observed leveraging a Windows utility that’s able to inject code into external processes called the Microsoft Application Virtualization Injector (MAVInject.exe). This injects Earth Preta’s payload into a Windows utility that’s used to sending or waiting for signals between networked computers., waitfor.exe, when an ESET antivirus application is detected running. Additionally, Earth Preta utilizes Setup Factory, an installer builder for Windows software, to drop and execute the payload; this enables them to evade detection and maintainendurance in compromised platforms.
In-depth examination of the situation
Within Earth Preta’s assault sequence, the initial corrupted document, IRSetup.exe, is utilized to deposit numerous documents into the ProgramData/session location (See Figure 1). These documents consist of a blend of valid programs and malicious elements (Refer to Figure 2).
An imitation PDF tailored to target users in Thailand is also activated, possibly to divert attention from the victim while the malicious payload is carried out in the background (Refer to Figure 3). The false document requests the recipient’s collaboration in forming a whitelist of telephone numbers to help create an anti-crime platform, supposedly a venture endorsed by various government bodies.
This approach aligns with Earth Preta’s prior initiatives where they utilized targeted spear-phishing messages to approach victims and launched a decoy PDF to divert scrutiny while the malevolent payload was unleashed quietly in the backdrop.
The distributor malware proceeds by triggering OriginLegacyCLI.exe, an official Electronic Arts (EA) program, to inject EACore.dll, a modified adaptation of the TONESHELL backdoor exploited by Earth Preta, as demonstrated in Figure 4.
TONESHELL backdoor – EACore.dll
EACore.dll houses multiple export qualities, as depicted in Figure 5 below, yet all of them direct to the same malevolent operation.
One of these qualities verifies the presence of either ekrn.exe or egui.exe, both linked with ESET security applications, running on the system (See Figure 6). Upon detection of either process, the malware registers EACore.dll using regsvr32.exe to carry out the DLLRegisterServer purpose (Refer to Figure 7).
The DLLRegisterServer export will then trigger waitfor.exe. MAVInject.exe, having the capability to surreptitiously execute malevolent scripting by infusing it into a running process as a method to outmaneuver ESET’s detection, is then employed to insert the malevolent script into it (Refer to Figure 8) via the subsequent instruction:
Mavinject.exe <Target PID> /INJECTRUNNING <Malicious DLL>
It’s plausible that Earth Preta adopted MAVInject.exe post verifying the smooth operation of their assault on machines utilizing ESET security software.
Special case officer
The malware also integrates a distinct case officer (See Figure 9) that triggers if ESET applications are nowhere to be found, permitting it to advance with its operation. Instead of deploying the malevolent scripting via MAVInject.exe, it directly implants its code into waitfor.exe utilizing WriteProcessMemory and CreateRemoteThreadEx APIs (Refer to Figure 10).
Command and control (C&C)information
The malware decodes the shellcode stored in the .data section (Figure 11), which includes the functions for connecting with its C2 server, www[.]militarytc[.]com:443 (Figure 12).
The malware interacts with the command-and-control (C2) server through the ws2_32.send API call. It creates a random identifier, collects the computer name, and transmits this data to the C2 server. The C2 protocol closely resembles that of its previous version, as described in our previous analysis. Nonetheless, this iteration introduces some minor modifications. For instance, the generated victim ID is now saved to current_directoryCompressShaders for persistence. Furthermore, the handshake packet has a slightly different structure, as demonstrated in Table 1.
| Offset | Size | Name | Description |
| 0x0 | 0x3 | magic | 17 03 03 |
| 0x3 | 0x2 | size | The payload size |
| 0x5 | 0x100 | key | The payload encryption key |
| 0x105 | 0x10 | victim_id | The unique victim ID (generated by CoCreateGuid) |
| 0x115 | 0x1 | reserved | |
| 0x116 | 0x4 | hostname_length | The length of the hostname |
| 0x11A | hostname_length | hostname | The hostname |
The command codes have also undergone slight changes. In this version, all debug strings have been eliminated. It supports command codes 4 through 19 and offers the following functionalities:
- Reverse shell
- Erase file
- Transfer file
Association with Earth Preta
Regarding attribution, we assess this version to be more closely linked to Earth Preta. It was disseminated using comparable TTPs (spear-phishing) and behaves akin to the earlier version referenced in our prior report on Earth Preta. It leverages CoCreateGuid for generating a unique victim ID, which is stored in a standalone file — a trait not witnessed in previous iterations. Furthermore, the same C2 server was connected to another sample attributed to Earth Preta, and the shared CyberChef recipe continues to successfully decode the packet being sent. Given these observations, we attribute this version to Earth Preta with moderate confidence.
Trend Vision One
Trend Vision One™ represents a cybersecurity solution that streamlines security operations and aids organizations in detecting and thwarting threats more rapidly by consolidating diverse security functionalities, empowering better control of the enterprise’s threat landscape, and delivering comprehensive insights into its cyber risk posture. The cloud-powered platform utilizes AI and threat intelligence sourced from 250 million sensors and 16 threat research hubs worldwide, offering holistic risk assessments, enhanced threat identification, and automated risk and threat mitigation choices within a unified solution.
Trend Vision One Threat Intelligence
To proactively counter evolving threats, Trend Vision One users can access a variety of Intelligence Reports and Threat Insights through Vision One. Threat Insights enables users to anticipate cyber threats proactively and equip themselves against emerging threats by furnishing comprehensive informationfocusing on the threat actors, their malicious deeds, and the methods they employ. By utilizing this valuable data, clients can be proactive in safeguarding their systems, decreasing vulnerabilities, and promptly responding to potential threats.
Trend Vision One Intelligence Reports App [IOC Sweeping]
- Earth Preta Incorporates Both Legitimate and Malicious Elements to Evade Detection
Trend Vision One Threat Insights App
Pursuit Queries
Trend Vision One Search App
With the Search App from Trend Vision One, customers have the ability to correlate or explore the malevolent indicators discussed in this blog post within their infrastructure.
Project Injection to waitfor.exe with hardcoded parameter exploited by Earth Preta
processFilePath:*ProgramDatasessionOriginLegacyCLI.exe AND objectCmd:*WindowsSysWOW64waitfor.exe” “Event19030000000” AND tags: “XSAE.F8404”
Additional exploration queries are at the disposal of Vision One customers with Threat Insights Entitlement enabled.
Final Thoughts
The latest discoveries by Trend Micro’s Threat Hunting unit underscore the intricate techniques utilized by Earth Preta to infiltrate systems and outsmart security measures. Through the utilization of MAVInject.exe to insert malevolent payloads into waitfor.exe, and employing Setup Factory to deploy and execute these payloads, Earth Preta effectively circumvents ESET antivirus identification and secures persistence on compromised systems. The assault sequence showcases the group’s advanced skill level in formulating and enhancing their evasive strategies, with the inclusion of legitimate applications like Setup Factory and OriginLegacyCLI.exe further complicating detection endeavors. Businesses must be vigilant in fortifying their monitoring capabilities, concentrating on spotting unusual behaviors in authorized operations and executable files, to preempt the evolving stratagems of APT groups such as Earth Preta.
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk
About Author
