Ethical Hacking News
Chinese hackers abuse Microsoft APP-v tool to evade antivirus detection, injecting malware into legitimate processes via a vulnerability in the Application Virtualization (App-V) utility. This allows them to bypass traditional antivirus software and maintain undetected access to compromised systems.
Chinese hackers have been exploiting a vulnerability in Microsoft's Application Virtualization (App-V) tool, known as "Mustang Panda," to inject malicious payloads into legitimate processes.The malware is distributed through spear-phishing emails that appear to come from government agencies or NGOs.The abuse of App-V starts with the Microsoft Application Virtualization Injector utility, which can be abused as a LOLBIN.The malware exploits a vulnerability in the 'waitfor.exe' process, a legitimate Windows utility, to evade detection by antivirus software.The malware connects to a command and control server, sends system info and victim ID, and provides attackers with a reverse shell for remote command execution.
Chinese hackers have been exploiting a vulnerability in Microsoft's Application Virtualization (App-V) tool, abusing it as a LOLBIN to inject malicious payloads into legitimate processes and evade detection by antivirus software. The threat group, known as "Mustang Panda," has been tracked by threat researchers at Trend Micro since 2022, and their targeting scope includes government entities in the Asia-Pacific region.
The malware vectors used by Mustang Panda are primarily spear-phishing emails that appear to come from government agencies, NGOs, think tanks, or law enforcement. These emails contain a malicious attachment containing the dropper file (IRSetup.exe), which, when executed by the victim, will drop multiple files into C:\ProgramData\session, including legitimate files, malware components, and a decoy PDF to serve as a diversion.
The abuse of Microsoft App-V starts with the Microsoft Application Virtualization Injector utility, a legitimate Windows system tool that allows the operating system to inject code into running processes. However, cybersecurity firm FourCore reported in 2022 that this executable could be abused as a LOLBIN, warning that it should be blocked on devices not utilizing APP-v.
Mustang Panda exploits this vulnerability by injecting malicious payloads into 'waitfor.exe,' a legitimate Windows utility that comes pre-installed in Windows operating systems. The legitimate function of waitfor.exe is to synchronize processes across multiple machines by waiting for a signal or command before executing a specific action. Being a trusted system process, the malware injected into it passes as a normal Windows process, so ESET and potentially other antivirus tools do not flag the malware's execution.
The malware injected into waitfor.exe is a modified version of the TONESHELL backdoor, which comes hidden inside a DLL file (EACore.dll). Once running, the malware connects to its command and control server at militarytc[.]com:443, and sends system info and victim ID. The malware also provides attackers with a reverse shell for remote command execution and file operations, such as move and delete.
Trend Micro believes that this new variant is a custom Mustang Panda tool based on its functional characteristics and previously documented packet decryption mechanisms.
This abuse of Microsoft App-V highlights the importance of keeping Windows systems up to date and utilizing robust security measures. It also serves as a reminder for organizations to implement strict email security policies, monitor employee activity closely, and conduct regular system scans to prevent such threats from going undetected.
In conclusion, Chinese hackers have been exploiting a vulnerability in Microsoft App-V, abusing it to evade antivirus detection and inject malicious payloads into legitimate processes. This highlights the need for robust security measures, including keeping Windows systems up to date, implementing strict email security policies, and conducting regular system scans.
Related Information:
https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-microsoft-app-v-tool-to-evade-antivirus/
Published: Tue Feb 18 14:20:27 2025 by llama3.2 3B Q4_K_M
