- Trend Micro has spotted Preta land dodging antivirus in a new attack
- The deployment of malware checks if the ESET antivirus is installed
- Malware turn away from legitimate processes to inject a malicious code
A Chinese piracy group followed in Preta and Mustang Panda was spotted using the Microsoft application virtualization injector to dodge antivirus software by injecting malware into legitimate processes.
New research from the Trend Micro threatening hunting team has revealed how the group also used Configuration Factory, a third -party Windows installation manufacturer, to abandon and execute malicious useful loads.
The region of interest of the Preta land is mainly around the Asia-Pacific region, the group targeting Taiwan, Vietnam and Malaysia during recent attacks.
Die antivirus software
The attack begins with the land of lance of the land a victim and the deposit of a mixture of legitimate and malicious files in the programdata / session repertoire using iRSetup.exe. The Electronic Arts (EA) application is contained in this combination of legitimate files (EA) which is used to put a modified Toneshell stolen door, eacore.dll.
While this happens, a lure PDF is responsible in the foreground to distract users from the deployment of the payload. In the vector studied by the Trend micro-researchers, a PDF requesting the cooperation of the user in the list of telephone numbers to be added to an anti-crime platform supported by several law enforcement organizations has been shown to the victim.
In the background, the eacore.dll file checks whether two files associated with the ESET antivirus run on the device – EKRN.EXE and EGUI.EXE. If one or the other file is detected on the system, eacore.dll performs the dlregister function by registering at REGSEVR32.Exe.
In order to bypass antivirus, malware will then use Mavinject.exe to exploit WaitFor.exe in order to inject malicious code into a current process. The WaitFor.exe function is used to synchronize processes or trigger a specific action after receiving a signal or command, and is therefore generally ignored by antivirus software because it is a legitimate system process and reliable.
If the files associated with ESET are not detected, an exceptional manager is triggered, which means that the malicious code wasfor.exe directly injects the lamemmemory and createremotethreedex APIs. Finally, the malicious software will establish the connection to a control and control and control (C2) control server (C2).
Due to the similarity of the attack vector with other campaigns observed by Trend Micro, and the observation of the same C2 server in another Preta earth attack, researchers attribute this attack to the Preta earth with average confidence .
