Researchers from Trend Micro’s Threat Hunting team have recently unveiled a sophisticated cyberattack campaign orchestrated by the advanced persistent threat (APT) group known as Earth Preta, or Mustang Panda. This group has been employing innovative techniques to infiltrate systems while evading detection, with a primary focus on government entities across the Asia-Pacific region, including Taiwan, Vietnam, Malaysia, and Thailand.
Earth Preta’s modus operandi involves a strategic blend of spear-phishing emails and advanced malware designed to compromise Windows systems. A notable tool in their arsenal is the Microsoft Application Virtualization Injector (MAVInject.exe), which they utilize to inject malicious payloads into legitimate Windows processes, such as waitfor.exe, especially when ESET antivirus software is present.
This sophisticated approach enables them to circumvent security measures and maintain a persistent presence on infected systems. The attack chain typically initiates with the execution of a malicious file, IRSetup.exe, which subsequently drops multiple files—both legitimate executables and malicious components—onto the system. To further mislead victims, the attackers deploy a decoy PDF that masquerades as an official document, often claiming to request cooperation on an anti-crime platform purportedly endorsed by government agencies.
Malware Analysis
At the heart of Earth Preta’s operations lies a modified variant of the TONESHELL backdoor malware. This backdoor is sideloaded using OriginLegacyCLI.exe, a legitimate application from Electronic Arts (EA), alongside a malicious DLL known as EACore.dll. The malware establishes communication with a command-and-control (C&C) server located at www[.]militarytc[.]com:443 for data exfiltration and remote operations.
The malware boasts several key capabilities, including:
- Reverse shell access
- File deletion and movement
- Persistent storage of victim identifiers for future exploitation
Moreover, the malware exhibits adaptive behavior depending on the presence of ESET antivirus software. If detected, it resorts to using MAVInject.exe for code injection into running processes; otherwise, it employs alternative techniques such as WriteProcessMemory and CreateRemoteThreadEx APIs for executing code injections.
Trend Micro attributes this campaign to Earth Preta with medium confidence, drawing from shared tactics, techniques, and procedures (TTPs) observed in prior campaigns. Active since at least 2022, the group has reportedly compromised over 200 victims during this timeframe. Their operations are particularly characterized by a focus on government entities and a reliance on phishing as the initial attack vector.
This campaign highlights the increasing sophistication of APT groups like Earth Preta. By artfully combining legitimate tools with custom malware, they effectively evade detection and infiltrate high-value targets. Organizations within the Asia-Pacific region should remain vigilant against phishing attempts and ensure robust endpoint protection measures are firmly in place.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
