Full Report
Earth Preta (Mustang Panda), a known APT group targeting government entities in the Asia-Pacific region, has been observed using a new technique to evade detection and maintain persistence. Researchers from Trend Micro discovered that the group leverages Microsoft Application ...
Analysis Summary
# Threat Actor: Earth Preta
## Attribution & Identity
* **Primary Identification:** Earth Preta
* **Known Aliases:** Mustang Panda
* **Associations:** Known APT group.
## Activity Summary
Earth Preta has been observed employing a new, refined technique to evade detection and maintain persistence. This recent campaign utilizes the Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious payloads into legitimate processes specifically when ESET antivirus is detected. The initial access vector observed is end-user compromise, leading to data exfiltration. The attack chain starts with `IRSetup.exe` dropping files, including a decoy PDF. The malware, a variant of the TONESHELL backdoor, is sideloaded using a legitimate Electronic Arts (EA) application (`OriginLegacyCLI.exe`).
## Tactics, Techniques & Procedures
* **Initial Access:** Spearphishing (Consistent with previous tactics).
* **Execution/Defense Evasion (Key New Technique):** Leverages **MAVInject.exe** to inject malicious code into `waitfor.exe` if ESET processes (`ekrn.exe` or `egui.exe`) are detected.
* **Execution/Defense Evasion (Fallback):** If ESET is absent, direct injection is used via `WriteProcessMemory` and `CreateRemoteThreadEx` APIs.
* **Persistence/Defense Evasion:** DLL Side-Loading using `OriginLegacyCLI.exe`.
* **Process Injection:** Process injection observed.
* **Payload Delivery:** Decoy PDF used to distract victims.
* **C2 Communication:** Uses `ws2_32.send` API call for C&C.
* **Data Exfiltration:** Exfiltrates system information and accepts remote commands (reverse shell, file deletion/movement).
* **MITRE ATT&CK IDs (Inferred from TTPs):** T1566 (Phishing), T1574.001 (DLL Side-Loading), T1055 (Process Injection).
## Targeting
* **Sectors:** Government entities.
* **Geography:** Asia-Pacific region.
* **Victims:** Specific organizations were not named, only the industry sector.
## Tools & Infrastructure
* **Malware Families Used:** TONESHELL backdoor (variant).
* **Infrastructure (C2):** `www[.]militarytc[.]com` on port 443.
* **Key Executables/Components Observed:** `IRSetup.exe`, `OriginLegacyCLI.exe` (legitimate EA application), `MAVInject.exe`, `waitfor.exe`.
## Implications
Earth Preta continues to refine its defense evasion strategies, specifically targeting known security software (ESET) with customized injection techniques leveraging legitimate Microsoft components (MAVInject). This demonstrates significant operational security (OPSEC) maturity and a commitment to maintaining long-term persistence within targeted networks.
## Mitigations
* Monitor for the execution of `MAVInject.exe` in conjunction with process manipulation APIs targeting non-standard processes like `waitfor.exe`.
* Monitor for process injection techniques, specifically utilizing `WriteProcessMemory` and `CreateRemoteThreadEx`.
* Investigate unusual sideloading behavior involving legitimate third-party applications like `OriginLegacyCLI.exe`.
* Monitor network connections originating from injected processes to the observed C2 infrastructure.