The advanced persistent threat (APT) group Earth Preta, also known as Mustang Panda, has refined its evasion techniques by combining legitimate software with malicious components. Researchers from Trend Micro’s Threat Hunting team detailed how the group leverages MAVInject.exe and Setup Factory to deploy payloads while bypassing security measures.
Key Insights for Security Leaders
Earth Preta’s latest campaign demonstrates a sophisticated blend of living-off-the-land binaries (LOLBins) and commercial tools to maintain persistence. The group primarily targets government entities in the Asia-Pacific region, including Taiwan, Vietnam, and Malaysia. Their tactics include injecting payloads into waitfor.exe using Microsoft’s MAVInject when ESET antivirus is detected, and using Setup Factory to drop malware disguised as legitimate EA software (OriginLegacyCLI.exe).
Additional evasion techniques involve executing a fake PDF targeting Thai users to distract victims during deployment. Command-and-control (C2) communication is established via a modified TONESHELL backdoor, connecting to www[.]militarytc[.]com:443 for data exfiltration.
Technical Breakdown
Attack Chain Overview
The attack begins with spear-phishing delivering IRSetup.exe, which drops files to ProgramData\session. A fraudulent PDF mimicking a Thai government anti-crime initiative is executed as a decoy. Legitimate EA binaries (OriginLegacyCLI.exe) are then abused to sideload malicious EACore.dll.
Evasion Techniques
Earth Preta uses Mavinject.exe to inject payloads into running processes when ESET antivirus is detected. If ESET processes (ekrn.exe, egui.exe) are not present, direct injection occurs via WriteProcessMemory and CreateRemoteThreadEx APIs. Victim IDs are stored in current_directory\CompressShaders for reuse in subsequent attacks.
C2 Protocol Analysis
The malware decrypts shellcode to communicate with its server. Handshake packets include a magic byte sequence (17 03 03), payload size, and a victim GUID generated via CoCreateGuid. Command codes (4–19) enable functionalities such as reverse shells, file deletion, and lateral movement.
Actionable Recommendations
For Red Teams
Test detection for MAVInject abuse and sideloading via EA software. Simulate Earth Preta’s tactics to evaluate defensive gaps in behavioral monitoring.
For Blue Teams
Hunt for waitfor.exe spawning from ProgramData\session or unusual regsvr32.exe calls. Monitor for C2 traffic to militarytc[.]com or GUID-based artifacts in CompressShaders.
Mitigation Steps
- Application Control: Block execution of
MAVInject.exeandSetup Factoryin untrusted paths. - Memory Monitoring: Flag
waitfor.exewith unexpected memory regions. - Network Rules: Deny outbound connections to known Earth Preta domains.
Conclusion
Earth Preta’s blending of legitimate tools with malicious payloads underscores the need for behavioral analysis alongside signature-based detection. Organizations should prioritize monitoring LOLBins and unusual process interactions, particularly in high-risk sectors like government and critical infrastructure.
For further analysis, refer to Trend Micro’s full report.
References
- [1] Nathaniel Morales and Nick Dai, “Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection.” Trend Micro, 18 Feb 2025.
- [2] “IBM X-Force OSINT Advisory Earth Preta Mixes Legitimate and Malicious Components.” IBM X-Force, 18 Feb 2025.
- [3] “Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection.” Vulners, 17 Feb 2025.
