Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection www.trendmicro.com/en_us/res…

Trend Micro’s Threat Hunting team has come across a new technique employed by Earth Preta, also known as Mustang Panda. Earth Preta’s attacks have been known to focus on the Asia-Pacific region: More recently, one campaign used a variant of the DOPLUGS malware to target Taiwan, Vietnam, Malaysia, among other countries. The group, which favors phishing in their campaigns and tends to target government entities, has had over 200 victims since 2022.

This advanced persistent threat (APT) group has been observed leveraging a Windows utility that’s able to inject code into external processes called the Microsoft Application Virtualization Injector (MAVInject.exe). This injects Earth Preta’s payload into a Windows utility that’s used to sending or waiting for signals between networked computers., waitfor.exe, when an ESET antivirus application is detected running. Additionally, Earth Preta utilizes Setup Factory, an installer builder for Windows software, to drop and execute the payload; this enables them to evade detection and maintain persistence in compromised systems.