- Trend Micro has seen Earth Preta Dodging Antivirus in new attack
- Malware -Implementation Checks to see if ESET -Antivirus is installed
- Malware hijacks legitimate processes to inject malicious code
A Chinese hacking group traced as Earth Preta and Mustang Panda has been viewed using Microsoft Application Virtualization Injector to avoid antivirus software by injecting malicious code into legitimate processes.
New research from Trend Micro’s threat -hunting team revealed how the group has also used Setup Factory, a third -party Windows Installer Builder, to fall and performing malicious payload.
Earth Preta’s focus area is mostly around the Asia-Pacific region, where the group is targeting Taiwan, Vietnam and Malaysia in recent attacks.
Dodging Antivirus software
The attack begins with Earth Preta Skedle Phishing of a Sacrifice and depositing a mixture of legitimate and malicious files in program data/session library using irsetup.exe. Contained in this blend of files is a legitimate electronic art (EA) app (Originalgacycli.exe) used to sidest a modified Toneshell -back door, eacore.dll.
While this is happening, a decoy PDF is loaded into the foreground to distract users from the use of the payload. In the vector examined by the trendmicro scientists, a PDF that asked for the user’s collaboration to list telephone numbers to be added to an anti-crime platform supported by several law enforcement agencies was to the victim.
In the background, the Eacore.ll checks file to see if two files attached to ESET -Antivirus run on the device -Ekrn.exe and egui.exe. If both files are detected on the system, EACORE.ller performs the DLL registry server function by registering with Regsevr32.exe.
To bypass the antivirus, Malware then uses Mavinject.exe to utilize Waitfor.exe to inject malicious code into a running process. The Waitfor.exe feature is used to sync processes or trigger a specific action after a signal or command is received and is therefore typically ignored by antivirus software as it is a legitimate and trusted system process.
If the files attached to ESET are not registered, an exception manager is triggered that causes Waitfor.exe to directly inject malicious code using writing and createmotethreadx APIs. Finally, Malware will establish connection to a threat actor controlled command and control (C2) server.
Due to the resemblance of the attacking vector, observed by trendmicro and compliance with the same C2 server in another Earth Preta attack, scientists attribute this attack to the Earth Preta with medium confidence.
