Chinese hackers from the Earth Preta group have been caught using a new technique to avoid detection by antivirus software. The group uses a legitimate Microsoft tool called MAVInject.exe to inject malicious code into a process called “waitfor.exe” when it detects ESET antivirus running on a computer. The attack starts with a file called “IRSetup.exe” that drops several files, including a fake PDF document to distract the victim.
It then runs a real Electronic Arts program called “OriginLegacyCLI.exe” to load a malicious DLL file named “EACore.dll”. This DLL is a modified version of malware linked to Earth Preta. The malware checks if the ESET antivirus processes “ekrn.exe” or “egui.exe” are running.
If so, it uses “waitfor.exe” and “MAVInject.exe” to run the malicious code without being detected. “Waitfor.exe” synchronizes processes between networked computers.
Hackers evade antivirus with MAVInject.exe
“MAVInject.exe” can inject malicious code into a running process to bypass ESET detection. The final payload allows the hackers to connect to a remote server at “www.militarytc[.]com:443” to receive commands. These commands can set up a reverse shell, move files, and delete files on the infected computer.
ESET responded to the report, saying they have been protecting against this technique for years and that it is not a bypass of their antivirus. They said the specific malware sample was already detected by their software since January. ESET attributed the malware to a China-aligned group they call CeranaKeeper.
Other research found links between attacks in Southeast Asia and a modular malware called Bookworm. Attacks in Myanmar used DLL side-loading to deploy a downloader that fetches a second payload. Code similarities suggest Bookworm and the TONESHELL backdoor used by Earth Preta may have been made by the same developer.
Image Credits: Photo by Azamat E on Unsplash
