In a recent analysis, Trend Micro’s Threat Hunting team has uncovered a sophisticated new tactic employed by the Chinese hacking group known as Earth Preta, also referred to as Mustang Panda. This group has been utilizing the Microsoft Application Virtualization Injector to evade detection by antivirus software, specifically targeting legitimate processes to inject malicious code.
The malware’s strategy begins with a check for the presence of ESET antivirus on the target system. If ESET is not detected, the malware proceeds to exploit the waitfor.exe function, a legitimate system process often overlooked by antivirus programs due to its trusted status. By leveraging this function, the malware can synchronize processes or trigger actions based on specific signals, allowing it to operate under the radar.
To facilitate its operations, Earth Preta has been employing Setup Factory, a third-party Windows installer builder, to deliver and execute its malicious payloads. The process involves the use of MAVInject.exe, which exploits waitfor.exe to inject harmful code into running processes. This method not only enhances the stealth of the attack but also increases the likelihood of successful infiltration.
Once the malicious code is injected, the malware establishes a connection to a command and control (C2) server controlled by the threat actors. The researchers at Trend Micro have noted that the similarities in attack vectors to previous campaigns, along with the identification of the same C2 server in earlier Earth Preta activities, lend medium confidence to their attribution of this attack to the group.
