A Chinese hacking group known as “Mustang Panda” has been spotted abusing the Microsoft Application Virtualization Injector utility to inject malicious payloads into legitimate processes, evading detection by antivirus software. This technique was discovered by threat researchers at Trend Micro, who verified over 200 victims since 2022.
The primary target of Mustang Panda is government entities in the Asia-Pacific region, using spear-phishing emails that appear to come from government agencies, NGOs, think tanks, or law enforcement. The malware distribution method involves a malicious attachment containing a dropper file (IRSetup.exe), which drops multiple files into C:\ProgramData\session, including legitimate files and malware components.
When ESET antivirus products are detected on a compromised machine, Mustang Panda employs a unique evasion mechanism exploiting tools pre-installed on Windows 10 and later. The group uses the Microsoft Application Virtualization Injector (MAVInject.exe) to inject malicious payloads into the ‘waitfor.exe’ process, which is a legitimate Windows utility.
The malware injected into waitfor.exe is a modified version of the TONESHELL backdoor, which comes hidden inside a DLL file (EACore.dll). Once running, the malware connects to its command and control server at militarytc[.]com:443, and sends system info and victim ID. The malware also provides attackers with a reverse shell for remote command execution and file operations.
Trend Micro believes this new variant is a custom Mustang Panda tool based on its functional characteristics and previously documented packet decryption mechanisms. However, ESET disagrees with Trend Micro’s findings, stating that the reported technique is not novel and that their technology has been protecting against it for many years.
Source: https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-microsoft-app-v-tool-to-evade-antivirus