Earth Preta (Mustang Panda), a known APT group targeting government entities in the Asia-Pacific region, has been observed using a new technique to evade detection and maintain persistence. Researchers from Trend Micro discovered that the group leverages Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious payloads into waitfor.exe when an ESET antivirus application is detected. The attack chain begins with IRSetup.exe, which drops multiple files, including a decoy PDF designed to distract victims. The malware, a variant of the TONESHELL backdoor, is sideloaded via OriginLegacyCLI.exe, a legitimate Electronic Arts (EA) application, allowing Earth Preta to execute their payload stealthily. The malware establishes command-and-control (C&C) communication, using a ws2_32.send API call to exfiltrate system information and issue remote commands such as reverse shell execution, file deletion, and file movement.
To bypass detection, the attackers employ several code injection techniques. If ESET processes (ekrn.exe or egui.exe) are found, the malware uses MAVInject.exe to inject malicious code into waitfor.exe. If ESET is not present, it directly injects code using WriteProcessMemory and CreateRemoteThreadEx APIs. Additionally, the malware decrypts shellcode stored in its .data section and communicates with www[.]militarytc[.]com:443, where it sends victim information, including a randomly generated identifier and hostname. The campaign aligns with Earth Preta’s previous tactics, such as spear-phishing and decoy PDFs, and demonstrates a refined approach to maintaining persistence and evading security defenses.