Chinese state-sponsored threat actors known as Mustang Pandas have been observed using new techniques to avoid detection and maintain control over infected systems.
This involves injecting the malicious payload of a threat actor into an external process using a legitimate Microsoft Windows utility called the Microsoft Application Virtualization Injector (Mavinject.exe). analysis.
“Attacks include deleting multiple files, including legitimate executables and malicious components, and deploying decoy PDFs to deflect victims,” said security researcher Nathaniel Morales. Nick Dye pointed out.
“In addition, Earth Preta can use Setup Factory, an installer builder for Windows software to drop and run payloads, which can avoid detection and maintain compromised system persistence. Masu.”
The starting point of the attack sequence is an executable file (“irsetup.exe”) that acts as a dropper for several files, including lure documents designed to target tie-based users. This implies that the attack may involve using spear phishing emails to single out the victim.
The binary then runs a legitimate electronic arts (EA) application (“OriginLegacycli.exe”) to make an invalid dll named “eacore.dll”, a modified version of the Toneshell backdoor caused by the hacking crew. Sideload.
The core malware function is a check that determines whether two processes associated with the ESET antivirus application (ekrn.exe” or “egui.exe” are running on the compromised host. Then, you can see the “mavinject. exe” to run the malware without flagging it.
“Mavinject.exe, which is capable of proxying malicious code by injecting it into a running process as a means of bypassing ESET detection, is used to inject malicious code,” the researchers say. I’ve explained it. “It is possible that Earth Preta used Mavinject.exe after testing the execution of an attack on a machine using ESET software.”
The malware will ultimately decrypt the embedded shellcode that will allow you to establish a connection with the remote server (“www.militarytc[.]com:443”) Establish a reverse shell, receive commands to move files, and delete files.
“The Earth Preta malware, a Toneshell backdoor variant, employs legitimate electronic arts applications and communicates with command and control servers for data removal,” the researchers said.
Source link
