Advanced Persistent Threat (APT) group Earth Preta (a.k.a. Mustang Panda) has been observed weaponizing the Microsoft Application Virtualization Injector (MAVInject.exe) to bypass security software and implant backdoors in government systems across Asia-Pacific regions. To mitigate threats from Earth Preta, organizations should monitor legitimate tools like MAVInject.exe and waitfor.exe for unusual activity, use hunting queries to detect suspicious executions, and disable unused services, such as removing MAVInject.exe if Microsoft App-V isn’t required. MAVInject.exe, a signed Microsoft utility designed for application virtualization, has been repurposed by Earth Preta to inject malicious payloads into the waitfor.exe process—a legitimate Windows networking tool. While the Trend Micro’s Threat Hunting Team noted that this technique allows the group to evade ESET antivirus detection by masking malicious activity under trusted processes. The campaign, analyzed by Trend Micro’s Threat Hunting Team, combines legitimate software with sophisticated code injection to avoid detection. These include legitimate executables (Setup Factory installer), malicious components (EACore.dll, a modified TONESHELL backdoor), and a decoy PDF mimicking a Thai government anti-crime initiative. Additionally, it abuses legitimate processes like OriginLegacyCLI.exe to sideload malicious DLLs, mimicking trusted software behavior to avoid suspicion. Trend Micro attributes this campaign to Earth Preta with medium confidence, citing overlaps in TTPs, C&C infrastructure (militarytc[.]com), and the use of CoCreateGuid for victim identification.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 18 Feb 2025 12:25:15 +0000