2025-02-22 02:49:10 Pacfic
Microsoft Application Virtualization Injector Abuse - 2d
Chinese-linked threat actor Mustang Panda has been observed exploiting the Microsoft Application Virtualization Injector (MAVInject.exe) utility to evade antivirus detection. According to research from Trend Micro, the group injects malicious payloads into legitimate processes, such as waitfor.exe, using MAVInject.exe, a LOLBIN (Living Off the Land Binary). This allows the malware to operate without being flagged by security software. This technique involves combining legitimate software components with malicious code to bypass security measures and maintain control of compromised systems.
Researchers discovered that Mustang Panda initially drops multiple files, including legitimate executables and malicious components, and deploys a decoy PDF. A legitimate Electronic Arts application ("OriginLegacyCLI.exe") is executed to sideload a modified version of the TONESHELL backdoor. The malware then checks for ESET antivirus processes and, if detected, uses "waitfor.exe" and "MAVInject.exe" to inject malicious code. This allows them to evade detection and maintain persistence in compromised systems, ultimately establishing connections with a remote server to receive commands and exfiltrate data.
ImgSrc: www.bleepstatic.com
References:
- Trend Micro Research, News and Perspectives - Trend Micro’s Nathaniel Morales & Nick Dai discuss the latest technique used by Earth Preta (Mustang Panda), in which the APT group leverages MAVInject & Setup Factory to deploy payloads, bypas - 2d
- Cybersecurity News - Researchers from Trend Micro’s Threat Hunting team have discovered a new campaign by the advanced persistent threat (APT) The post appeared first on . - 2d
- Talkback Resources - Trend Micro's Threat Hunting team discovered Earth Preta (Mustang Panda) using legitimate and malicious components in a new campaign targeting government entities in the Asia-Pacific region, urging vi - 2d
- Talkback Resources - Earth Preta Mixes Legitimate and Malicious Components to Sidestep Detection [app] [mal] - 2d
- securityonline.info - Earth Preta APT Group Evades Detection with Legitimate and Malicious Components - 2d
- AboutDFIR ? The Definitive Compendium Project - InfoSec News Nuggets on Chinese APT group abuse of Microsoft's Application Virtualization Injector utility. - 2d
- The Hacker News - Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks - 2d
- www.bleepingcomputer.com - Chinese hackers abuse Microsoft APP-v tool to evade antivirus - 2d
- @youranonriots - hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection b - 2d
- BleepingComputer - The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processe - 2d
- Know Your Adversary - Here's How Mustang Panda Evades AV and How to Detect It - 2d
- @BleepingComputer - Infosec Exchange Post about Mustang Panda abusing Microsoft APP-V tool to evade antivirus. - 2d
- @BleepingComputer - The Chinese APT hacking group "Mustang Panda" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes - 1d
- Information Security Buzz - Mustang Panda APT Exploits Windows Utilities to Slip Through Security Nets - 1d
- aboutdfir.com - Chinese hackers abuse Microsoft APP-v tool to evade antivirus The Chinese APT hacking group “Mustang Panda� has been spotted abusing the Microsoft Application Virtualization Injector u - 1d
- Talkback Resources - Chinese state-sponsored threat actor Mustang Panda is using a novel technique involving MAVInject.exe to inject malicious payloads into external processes, dropping multiple files and deploying a deco - 1h
Classification:
- HashTags: Cybersecurity Malware APT
- Company: Microsoft
- Target: Microsoft Systems
- Attacker: Mustang Panda
- Product: Application Virtualization Injector
- Feature: Application Virtualization Inj
- Type: Malware
- Severity: Major