CyberSecurity news
FlagThis
@www.bleepingcomputer.com
//
Chinese-linked threat actor Mustang Panda has been observed exploiting the Microsoft Application Virtualization Injector (MAVInject.exe) utility to evade antivirus detection. According to research from Trend Micro, the group injects malicious payloads into legitimate processes, such as waitfor.exe, using MAVInject.exe, a LOLBIN (Living Off the Land Binary). This allows the malware to operate without being flagged by security software. This technique involves combining legitimate software components with malicious code to bypass security measures and maintain control of compromised systems.
Researchers discovered that Mustang Panda initially drops multiple files, including legitimate executables and malicious components, and deploys a decoy PDF. A legitimate Electronic Arts application ("OriginLegacyCLI.exe") is executed to sideload a modified version of the TONESHELL backdoor. The malware then checks for ESET antivirus processes and, if detected, uses "waitfor.exe" and "MAVInject.exe" to inject malicious code. This allows them to evade detection and maintain persistence in compromised systems, ultimately establishing connections with a remote server to receive commands and exfiltrate data.
ImgSrc: www.bleepstatic
References :
Researchers discovered that Mustang Panda initially drops multiple files, including legitimate executables and malicious components, and deploys a decoy PDF. A legitimate Electronic Arts application ("OriginLegacyCLI.exe") is executed to sideload a modified version of the TONESHELL backdoor. The malware then checks for ESET antivirus processes and, if detected, uses "waitfor.exe" and "MAVInject.exe" to inject malicious code. This allows them to evade detection and maintain persistence in compromised systems, ultimately establishing connections with a remote server to receive commands and exfiltrate data.
ImgSrc: www.bleepstatic
Share:
References :
- www.trendmicro.com: Trend Micro’s Nathaniel Morales & Nick Dai discuss the latest technique used by Earth Preta (Mustang Panda), in which the APT group leverages MAVInject & Setup Factory to deploy payloads, bypass ESET antivirus, & maintain control over compromised systems.
- securityonline.info: Researchers from Trend Micro’s Threat Hunting team have discovered a new campaign by the advanced persistent threat (APT) The post appeared first on .
- Talkback Resources: Trend Micro's Threat Hunting team discovered Earth Preta (Mustang Panda) using legitimate and malicious components in a new campaign targeting government entities in the Asia-Pacific region, urging vigilance among cybersecurity professionals, particularly those using ESET antivirus applications.
- Talkback Resources: Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection [app] [mal]
- securityonline.info: Earth Preta APT Group Evades Detection with Legitimate and Malicious Components
- aboutdfir.com: InfoSec News Nuggets on Chinese APT group abuse of Microsoft's Application Virtualization Injector utility.
- The Hacker News: Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks
- www.bleepingcomputer.com: Chinese hackers abuse Microsoft APP-v tool to evade antivirus
- Anonymous ???????? :af:: hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- BleepingComputer: The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- Know Your Adversary: Here's How Mustang Panda Evades AV and How to Detect It
- BleepingComputer: Infosec Exchange Post about Mustang Panda abusing Microsoft APP-V tool to evade antivirus.
- BleepingComputer: The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- Information Security Buzz: Mustang Panda APT Exploits Windows Utilities to Slip Through Security Nets
- aboutdfir.com: Chinese hackers abuse Microsoft APP-v tool to evade antivirus The Chinese APT hacking group “Mustang Panda� has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.
- Talkback Resources: Chinese state-sponsored threat actor Mustang Panda is using a novel technique involving MAVInject.exe to inject malicious payloads into external processes, dropping multiple files and deploying a decoy PDF to distract victims, while evading detection and maintaining persistence in compromised systems.
Classification:
- HashTags: #Cybersecurity #Malware #APT
- Company: Microsoft
- Target: Microsoft Systems
- Attacker: Mustang Panda
- Product: Application Virtualization Injector
- Feature: Application Virtualization Inj
- Malware: MAVInject.exe
- Type: Malware
- Severity: Major