Ethical Hacking News
Recent analysis by Trend Micro revealed a novel technique used by Chinese state-sponsored threat actor Mustang Panda to evade detection and maintain control over infected systems. By exploiting legitimate Microsoft Windows utilities, these hackers are able to bypass security measures and continue their malicious activities undetected.
The Chinese state-sponsored threat actor "Mustang Panda" uses a novel technique to evade detection and maintain control over infected systems. The attack involves the use of legitimate Microsoft Windows utility "MAVInject.exe" to inject malicious payload into an external process, waitfor.exe. The attack sequence begins with an executable file ("IRSetup.exe") that serves as a dropper for several files, including a lure document designed to target Thailand-based users. The malware checks if two processes associated with ESET antivirus applications are running on the compromised host and executes "waitfor.exe" to bypass detection. Earth Preta's use of MAVInject.exe is an example of how threat actors can exploit legitimate utilities to further their malicious goals.
The world of cyber threats is constantly evolving, and one group of hackers that has been making waves lately is the Chinese state-sponsored threat actor known as Mustang Panda. In a recent analysis by Trend Micro, this group was observed employing a novel technique to evade detection and maintain control over infected systems. The attack involves the use of a legitimate Microsoft Windows utility called Microsoft Application Virtualization Injector (MAVInject.exe) to inject the threat actor's malicious payload into an external process, waitfor.exe, whenever ESET antivirus application is detected running.
To understand this attack sequence, it is essential to break down the steps involved. The starting point is an executable file ("IRSetup.exe") that serves as a dropper for several files, including a lure document designed to target Thailand-based users. This suggests that the attacks may have involved spear-phishing emails to single out victims.
The binary then proceeds to execute a legitimate Electronic Arts (EA) application ("OriginLegacyCLI.exe") to sideload a rogue DLL named "EACore.dll" that is a modified version of the TONESHELL backdoor attributed to the hacking crew. The function of this malware's payload is to check if two processes associated with ESET antivirus applications -- "ekrn.exe" or "egui.exe" -- are running on the compromised host, and if so, execute "waitfor.exe" and then use "MAVInject.exe" in order to run the malware without getting flagged by it.
MAVInject.exe is a legitimate utility that can proxy execute malicious code by injecting into a running process as a means of bypassing ESET detection. It is possible that Earth Preta used MAVInject.exe after testing the execution of their attack on machines that used ESET software. This is an example of how threat actors are constantly adapting and evolving their tactics to evade detection.
The malware ultimately decrypts the embedded shellcode that allows it to establish connections with a remote server ("www.militarytc[.]com:443") to receive commands for establishing a reverse shell, moving files, and deleting files. The malware is a variant of the TONESHELL backdoor, which is a type of backdoor that allows attackers to gain unauthorized access to a system.
Earth Preta's use of MAVInject.exe is a prime example of how threat actors can exploit legitimate utilities to further their malicious goals. This highlights the importance of keeping software up-to-date and using reputable antivirus software to prevent such attacks.
In conclusion, the recent analysis by Trend Micro provides valuable insights into the tactics used by Mustang Panda, a Chinese state-sponsored threat actor. The use of MAVInject.exe is a novel technique that allows these hackers to evade detection and maintain control over infected systems. It is essential for individuals and organizations to stay vigilant and take proactive measures to protect themselves against such threats.
Related Information:
https://thehackernews.com/2025/02/chinese-hackers-exploit-mavinjectexe-to.html
https://www.csoonline.com/article/3824177/unusual-attack-linked-to-chinese-apt-group-combines-espionage-and-ransomware.html
https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-microsoft-app-v-tool-to-evade-antivirus/
Published: Tue Feb 18 12:28:31 2025 by llama3.2 3B Q4_K_M
