Chinese cyberggroup of Mustang Panda has been found using a new bypass technique to evade antiviral control over infected systems. Experts from Trend Micro discovered that the hackers are utilizing the legitimate Windows tool called Microsoft Application Virtualization Injector (“Mavinject.exe”) to introduce malicious code into the “Waitfor.exe” process in order to bypass detection by the antivirus ESET. |
The attack commences with the loading of multiple files, including legitimate executable files, malicious components, and a deceptive PDF document aimed at distracting the victim. The attackers employ Setup Factory, a tool for creating Windows installers, to conceal the malicious code and ensure its discreet execution. |
The initial malicious file (“Irsetup.exe”) acts as a loader, delivering various components to the device, including a decoy document targeting users from Thailand. This suggests the potential use of phishing emails to propagate the malware. |
Subsequently, the executable file triggers the legitimate application Electronic Arts (“OriginlegacyCli.exe”) to load the fake library “Eacore.dll,” which is a modified version of the Tonshell backdoor associated with Mustang Panda. The primary objective of the malware is to check for the presence of the ESET antivirus processes (“ekrn.exe” or “egui.exe”). If the antivirus is active, the malware executes “WaitFor.exe” and leverages “Mavinject.exe” to deploy code undetected. |
According to analysts, “Mavinject.exe” enables the insertion of malicious code into a vulnerable process, evading antivirus detection. The hackers likely conducted prior tests of the attack on systems running ESET to ensure its efficacy. |
The final phase of the assault involves decoding the embedded shell code, establishing a connection with a remote server. This enables the attackers to upload files, download data, and take remote control of the compromised device. |
Thus, Chinese hackers are adapting attack techniques by leveraging legitimate Windows tools to |