Introduction
Mustang Panda [1] [2] [3] [4] [6], also known as Earth Preta [1], is a sophisticated Chinese nation-state espionage group that has been actively targeting government systems in the Asia-Pacific region. By leveraging legitimate Microsoft tools [1], they have developed advanced techniques to bypass security measures and implant backdoors, posing significant threats to national security.
Description
Mustang Panda is employing legitimate Microsoft tools to bypass ESET antivirus applications and implant backdoors in government systems throughout the Asia-Pacific region. Researchers from Trend Micro have identified a technique where the group utilizes Microsoft Application Virtualization Injector (MAVInject.exe) [1], a signed Microsoft utility [3], to inject malicious payloads into the waitfor.exe utility [1] [3] [4], a trusted Windows tool used for synchronizing processes. This method circumvents ESET antivirus defenses by activating only when ESET software is detected, employing advanced evasion techniques to maintain persistence on compromised systems.
The attack begins with the deployment of the Windows file IRSetup.exe [1], which acts as a dropper executable that releases various payloads, including a decoy PDF aimed at Thailand-based users to distract victims while the malicious payload executes in the background [1]. Among the dropped files is OriginLegacyCLI.exe [1], a legitimate Electronic Arts application [1], which is used to sideload a modified variant of the Toneshell backdoor [1], EACore.dll [1] [3] [4]. This DLL checks for the presence of ESET processes (ekrn.exe or egui.exe) using a command that detects these processes. If ESET is found, the malware triggers regsvr32.exe to execute the DLLRegisterServer function [1], which subsequently runs waitfor.exe with the injected malicious code [1].
In the absence of ESET applications, the malware resorts to direct code injection into waitfor.exe using Windows APIs such as WriteProcessMemory and CreateRemoteThreadEx, allowing the attack to continue undetected [1]. A structured exception handler is employed to dynamically switch injection methods based on the detection of ESET [3], enhancing the malware’s adaptability [3]. Once activated [4], the injected malware establishes a connection to a command and control server at militarytc.com:443 [4], transmitting system information and victim identification while providing attackers with a reverse shell for executing remote commands and performing file operations [4], such as moving and deleting files [4]. Additionally, the malware maintains communication with its command and control (C2) server by decrypting shellcode stored in its .data section [1], enabling it to send and receive commands and messages. Mustang Panda has reportedly compromised over 200 victims since 2022 [1], primarily targeting governmental entities in the Asia-Pacific region [1] [5], including Taiwan [1] [5] [6], Vietnam [1] [5], and Malaysia [1] [5], with phishing as their favored initial access technique [1].
Conclusion
The activities of Mustang Panda highlight the evolving nature of cyber threats, particularly those posed by nation-state actors. The group’s ability to exploit legitimate tools for malicious purposes underscores the need for robust cybersecurity measures and continuous monitoring. Organizations, especially governmental entities, must prioritize the implementation of advanced threat detection systems and employee training to mitigate the risks associated with such sophisticated attacks. As cyber threats continue to evolve, collaboration between international cybersecurity agencies and the development of proactive defense strategies will be crucial in safeguarding critical infrastructure and sensitive information.
References
[1] https://www.infosecurity-magazine.com/news/mustang-panda-microsoft-bypass/
[2] https://gbhackers.com/earth-preta-apt-exploit-microsoft-utility-tool/
[3] https://cybersecuritynews.com/earth-preta-abuse-microsoft-application-virtualization-injector/
[4] https://unsafe.sh/go-297230.html
[5] https://undercodenews.com/sophisticated-attack-campaign-unveiled-earth-preta-group-uses-mavinject-to-evade-detection/
[6] https://www.hendryadrian.com/chinese-hackers-exploit-mavinject-exe-to-evade-detection-in-targeted-cyber-attacks/
