The Chinese state-sponsored threat actor known as Mustang Panda has been observed employing a novel technique to evade detection and maintain control over infected systems.
This involves the use of a legitimate Microsoft Windows utility called Microsoft Application Virtualization Injector (MAVInject.exe) to inject the threat actor’s malicious payload into an external process, waitfor.exe, whenever ESET antivirus application is detected running, Trend Micro said in a new analysis.
“The attack involves dropping multiple files, including legitimate executables and malicious components, and deploying a decoy PDF to distract the victim,” security researchers Nathaniel Morales and Nick Dai noted.
“Additionally, Earth Preta utilizes Setup Factory, an installer builder for Windows software, to drop and execute the payload; this enables them to evade detection and maintain persistence in compromised systems.”
The starting point of the attack sequence is an executable (“IRSetup.exe”) that serves as a dropper for several files, including the lure document that’s designed to target Thailand-based users. This alludes to the possibility that the attacks may have involved the use of spear-phishing emails to single out victims.
The binary then proceeds to execute a legitimate Electronic Arts (EA) application (“OriginLegacyCLI.exe”) to sideload a rogue DLL named “EACore.dll” that’s a modified version of the TONESHELL backdoor attributed to the hacking crew.
Core the malware’s function is a check to determine if two processes associated with ESET antivirus applications — “ekrn.exe” or “egui.exe” — are running on the compromised host, and if so, execute “waitfor.exe” and then use “MAVInject.exe” in order to run the malware without getting flagged by it.
“Waitfor.exe” is a native Windows utility that takes care of synchronizing processes between one or more networked machines by sending or waiting for a signal or command.
“MAVInject.exe, which is capable of proxy execution of malicious code by injecting to a running process as a means of bypassing ESET detection, is then used to inject the malicious code into it,” the researchers explained. “It is possible that Earth Preta used MAVInject.exe after testing the execution of their attack on machines that used ESET software.”
The malware ultimately decrypts the embedded shellcode that allows it to establish connections with a remote server (“www.militarytc[.]com:443”) to receive commands for establishing a reverse shell, moving files, and deleting files.
“Earth Preta’s malware, a variant of the TONESHELL backdoor, is sideloaded with a legitimate Electronic Arts application and communicates with a command-and-control server for data exfiltration,” the researchers said.
ESET Responds
Following the publication of the story, ESET shared the below statement with The Hacker News –
At 15:30 CET, February 18, 2025, ESET communications teams were made aware of a research blog published by Trend Micro that names ESET “antivirus application” as the target of APT Group Mustang Panda a.k.a. Earth Preta.
We disagree with the published findings that this attack “effectively bypasses ESET antivirus”. This is not a bypass and we are bemused that Trend Micro did not alert ESET to discuss their findings.
The reported technique is not novel and ESET technology has been protecting against it for many years. Regarding this specific sample of malware, ESET had previously published details about it through its premium Cyber Threat Intelligence service and added specific detection since January. We have attributed the threat to the China-aligned CeranaKeeper APT Group. ESET users are protected against this malware and technique.
Southeast Asian Activity Links to Bookworm Malware
An analysis of cyber attacks targeting organizations in countries affiliated with the Association of Southeast Asian Nations (ASEAN) has uncovered infrastructure overlaps with a version of a modular malware known as Bookworm.
The intrusions impacting Myanmar have been found leveraging DLL side-loading techniques to launch PUBLOAD, a known downloader malware attributed to Mustang Panda since early 2022. It acts as a stager to communicate with a remote server to obtain a second shellcode-based payload.
“The decoded shellcode decrypts and loads dynamic-link libraries (DLLs) that comprise the Bookworm malware,” Unit 42 researcher Robert Falcone said. “The Bookworm module responsible for communicating with its C2 server will issue HTTP POST requests to either www.fjke5oe[.]com or update.fjke5oe[.]com with the URL path previously seen in the PUBLOAD sample.”
The cybersecurity company said it also uncovered source code similarities between Bookworm and a variant of the TONESHELL backdoor, raising the possibility that the same developer could have created the malware artifacts.
“The Bookworm malware has proven to be very versatile and a threat actor can repackage it to meet their operational requirements,” Falcone noted. “This versatility suggests Bookworm will show up again in future attacks.”
(The story was updated after publication to include a response from ESET and new findings from Palo Alto Networks Unit 42.)
About The Author
Original post here
