- Trend Micro has spotted Earth Preta dodging antivirus in new attack
- The malware deployment checks to see if ESET antivirus is installed
- Malware hijacks legitimate processes to inject malicious code
A Chinese hacking group tracked as Earth Preta and Mustang Panda has been spotted using the Microsoft Application Virtualization Injector to dodge antivirus software by injecting malicious code into legitimate processes.
New research from Trend Micro’s Threat Hunting team revealed how the group has also been using Setup Factory, a third-party Windows installer builder, to drop and executive malicious payloads.
Earth Preta’s region of focus mostly revolves around the Asia-Pacific region, with the group targeting Taiwan, Vietnam, and Malaysia in recent attacks.
Dodging antivirus software
The attack begins with Earth Preta spear-phishing a victim and depositing a mix of legitimate and malicious files into the ProgramData/session directory using IRSetup.exe. Contained within this mix of files is a legitimate Electronic Arts (EA) app (OriginLegacyCLI.exe) that is used to sideload a modified TONESHELL backdoor, EACore.dll.
While this is happening, a decoy PDF is loaded in the foreground to distract the users from the payload deployment. In the vector studied by the Trend Micro researchers, a PDF asking for the user’s cooperation in listing phone numbers to be added to an anti-crime platform supported by multiple law enforcement agencies was shown to the victim.
In the background, the EACore.dll file is checking to see if two files associated with ESET antivirus are running on the device - ekrn.exe and egui.exe. If either file is detected on the system, EACore.dll executes the DLLRegisterServer function by registering itself with regsevr32.exe.
In order to bypass the antivirus, the malware will then use MAVInject.exe to exploit waitfor.exe in order to inject malicious code into a running process. The waitfor.exe function is used to synchronize processes or trigger a specific action after a signal or command is received, and is therefore typically ignored by antivirus software as it is a legitimate and trusted system process.
If the files associated with ESET are not detected, an exception handler is triggered causing the waitfor.exe to directly inject malicious code using the WriteProcessMemory and CreateRemoteThreadEx APIs. Finally, the malware will establish connection to a threat actor controlled command and control (C2) server.
Due to the attack vector’s similarity to other campaigns observed by Trend Micro, and the observance of the same C2 server in another Earth Preta attack, the researchers attribute this attack to Earth Preta with medium confidence.
ESET reached out to TechRadar Pro to issue the following statement: "At 15:30 CET, February 18, 2025, ESET communications teams were made aware of a research blog published by Trend Micro that names ESET “antivirus application” as the target of APT Group Mustang Panda a.k.a. Earth Preta."
"We disagree with the published findings that this attack "effectively bypasses ESET antivirus". This is not a bypass and we are bemused that Trend Micro did not alert ESET to discuss their findings."
"The reported technique is not novel and ESET technology has been protecting against it for many years. Regarding this specific sample of malware, ESET had previously published details about it through its premium Cyber Threat Intelligence service and added specific detection since January. We have attributed the threat to the China-aligned CeranaKeeper APT Group. ESET users are protected against this malware and technique."
You might also like
- These are the best firewalls around
- Take a look at our guide to the best endpoint protection
- US military and defense contractors hit with Infostealer malware
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
