Earth Preta’s Latest Tactics: MAVInject Abuse for Evasion
Recent activity by Mustang Panda, also known as Earth Preta (which we refer to as Horned Werewolf), has been analyzed by Trend Micro. They revealed that the adversary exploited Mavinject.exeto inject malicious code into an active process, attempting to bypass ESET's detection system. Specifically, the threat actors utilized the /INJECTRUNNING parameter with Mavinject.exe, executing it in a way that targets a specific process ID and directs it to a malicious DLL file, like so: "C:\Windows\SysWOW64\Mavinject.exe" 5928 /INJECTRUNNING "C:\Users\User\Desktop.dll".
By exploiting MAVInject.exeto inject malicious payloads into waitfor.exe or werfault.exe, and employing Setup Factory to drop and execute these payloads. This attack chain demonstrates the group's advanced proficiency in developing and honing evasion techniques.
The use of legitimate applications like Setup Factory and OriginLegacyCLI.exefurther complicates detection efforts. Organizations should strengthen their monitoring capabilities, concentrating on identifying unusual activities within legitimate processes and executable files, to stay ahead of the evolving tactics employed by APT groups like Earth Preta.