Full Report
The Chinese state-sponsored threat actor known as Mustang Panda has been observed employing a novel technique to evade detection and maintain control over infected systems. This involves the use of a legitimate Microsoft Windows utility called Microsoft Application Virtualization Injector (MAVInject.exe) to inject the threat actor's malicious payload into an external process, waitfor.exe,
Analysis Summary
# Threat Actor: Mustang Panda (also referred to as Earth Preta)
## Attribution & Identity
* **Attribution:** Chinese state-sponsored threat actor.
* **Aliases/Associated Groups:** Earth Preta.
## Activity Summary
Mustang Panda has been observed conducting targeted cyber espionage operations using novel evasion techniques. The activity involves deploying a decoy PDF to distract the victim and using an installer builder (Setup Factory) to drop and execute payloads while maintaining persistence. The attacks appear to have initiated via spear-phishing emails targeting users in Thailand. The ultimate goal is likely cyber espionage and data exfiltration.
## Tactics, Techniques & Procedures
* **Initial Access/Execution:** Uses an executable (`IRSetup.exe`) as a dropper.
* **Defense Evasion (Code Execution):** Utilizes a legitimate Electronic Arts (EA) application (`OriginLegacyCLI.exe`) to sideload a malicious DLL (`EACore.dll`).
* **Defense Evasion (AV Evasion):** If ESET antivirus processes (`ekrn.exe` or `egui.exe`) are detected, the actor executes a sequence involving the native Windows utility `waitfor.exe` followed by exploiting **MAVInject.exe** to inject malicious code into an external process, specifically bypassing ESET detection.
* **Backdoor Use:** Deploys a modified version of the **TONESHELL** backdoor.
* **Persistence:** Achieved via techniques utilizing Setup Factory and process sideloading.
* **C2 Communication:** Decrypts embedded shellcode to connect to a remote server to receive commands (e.g., reverse shell, file movement, file deletion) and exfiltrate data.
## Targeting
* **Sectors:** Not explicitly defined beyond targeting general users/organizations susceptible to spear-phishing.
* **Geography:** Thailand-based users were specifically mentioned as targets in the analyzed attack sequence.
* **Victims:** Specific organizations are not named, but the lures suggest targeting entities connected to Thai interests.
## Tools & Infrastructure
* **Malware Families Used:** TONESHELL backdoor (modified variant).
* **Legitimate Tools Abused:** Microsoft Application Virtualization Injector (`MAVInject.exe`), `waitfor.exe`, `OriginLegacyCLI.exe` (EA application).
* **Installer Builder:** Setup Factory.
* **Infrastructure (C2):** `www[.]militarytc[.]com:443`
## Implications
This actor demonstrates a high level of sophistication, specifically adapting malware deployment and execution based on the presence of specific security software (ESET). The blending of legitimate utilities (`MAVInject.exe`, `waitfor.exe`) with proprietary malware loaders (Setup Factory) severely complicates signature-based detection and forensic analysis, indicating a focus on long-term espionage within targeted environments.
## Mitigations
* Monitor for unusual process injection and loading of DLLs alongside legitimate executables, particularly related to EA applications or system utilities like `waitfor.exe`.
* Implement strict rules regarding the execution of Microsoft utilities like `MAVInject.exe` for purposes other than intended OS operations.
* Monitor for network connections originating from processes associated with TONESHELL or similar backdoors, particularly connections to known/suspicious infrastructure like `www[.]militarytc[.]com`.
* Maintain up-to-date ESET protections, although the actor is actively testing defenses against it. Broader endpoint detection and response (EDR) visibility is crucial to catch the shellcode execution phase.