- Trend Micro has seen the land pretending to antivirus in a new attack
- Malware implementation checks to see if the antivirus eset is installed
- Malware kidnappings Legitimate processes to inject malicious code
A group of Chinese piracy tracked such as Earth Preta and Mustang Panda has been seen using the Microsoft applications virtualization injector to avoid antivirus software injecting malicious code in legitimate processes.
A new investigation of the Trend Micro threat hunting equipment revealed how the group has also been using the configuration factory, a third -party Windows installers builder, to leave and malicious executive useful loads.
The Preta Earth approach region turns mainly around the Asia and Pacific region, with the group addressed to Taiwan, Vietnam and Malaysia in recent attacks.
Dodge antivirus software
The attack begins with Spear’s phishing victim of Earth and depositing a combination of legitimate and malicious files in the Data Board of Programs/Session Directory using to go to go. In this file mixture, contained a legitimate application of Electronic Arts (EA) (OriginlegacyCli.exe) that is used to place a modified rear door of Toneshell, Eacore.dll.
While this is happening, a PDF lure is loaded in the foreground to distract users of the implementation of the payload. In the vector studied by Trend Micro researchers, a PDF requesting user cooperation on the telephone numbers list that will be added to an anti-crime platform backed by multiple agencies of application of the law to the victim.
In the background, the Eacore.dll file is verifying if two files associated with ESET antivirus are executed on the device – Ekrn.exe and Egui.exe. If none of the files in the system are detected, Eacore.dll executes the DLLregisterserver function by registering in regsevr32.exe.
To avoid antivirus, malware will use mavinject.exe to exploit waitfor.exe to inject malicious code into an execution process. The waitfor.exe function is used to synchronize the processes or activate a specific action after a signal or command is received, and therefore, the antivirus software ignores it, since it is a legitimate and reliable system process.
If the ESET -associated files are not detected, an exception controller is activated, which makes Waitfor.exe directly inject the malicious code using the WRITEPROCESSMEMORY API and CREATEMOTEMOTHREADEX. Finally, the malware will establish the connection to a control and control server controlled by the threat actor (C2).
Due to the similarity of the attack vector with other campaigns observed by Trend Micro, and the observance of the same C2 server in another attack of the preta Earth, the researchers attribute this attack on the preta land with medium confidence.
