- Trend Micro has spotted Earth Preta dodging antivirus in new attack
- The malware deployment checks to see if ESET antivirus is installed
- Malware hijacks legitimate processes to inject malicious code
A Chinese hacking group tracked as Earth Preta and Mustang Panda has been spotted using the Microsoft Application Virtualization Injector to dodge antivirus software by injecting malicious code into legitimate processes.
New research from Trend Micro’s Threat Hunting team revealed how the group has also been using Setup Factory, a third-party Windows installer builder, to drop and executive malicious payloads.
Earth Preta’s region of focus mostly revolves around the Asia-Pacific region, with the group targeting Taiwan, Vietnam, and Malaysia in recent attacks.
Dodging antivirus software
The attack begins with Earth Preta spear-phishing a victim and depositing a mix of legitimate and malicious files into the ProgramData/session directory using IRSetup.exe. Contained within this mix of files is a legitimate Electronic Arts (EA) app (OriginLegacyCLI.exe) that is used to sideload a modified TONESHELL backdoor, EACore.dll.
While this is happening, a decoy PDF is loaded in the foreground to distract the users from the payload deployment. In the vector studied by the Trend Micro researchers, a PDF asking for the user’s cooperation in listing phone numbers to be added to an anti-crime platform supported by multiple law enforcement agencies was shown to the victim.
In the background, the EACore.dll file is checking to see if two files associated with ESET antivirus are running on the device – ekrn.exe and egui.exe. If either file is detected on the system, EACore.dll executes the DLLRegisterServer function by registering itself with regsevr32.exe.
In order to bypass the antivirus, the malware will then use MAVInject.exe to exploit waitfor.exe in order to inject malicious code into a running process. The waitfor.exe function is used to synchronize processes or trigger a specific action after a signal or command is received, and is therefore typically ignored by antivirus software as it is a legitimate and trusted system process.
If the files associated with ESET are not detected, an exception handler is triggered causing the waitfor.exe to directly inject malicious code using the WriteProcessMemory and CreateRemoteThreadEx APIs. Finally, the malware will establish connection to a threat actor controlled command and control (C2) server.
Due to the attack vector’s similarity to other campaigns observed by Trend Microand the observance of the same C2 server in another Earth Preta attack, the researchers attribute this attack to Earth Preta with medium confidence.
