Chinese Hackers Exploit MAVInject.exe to Evade Detection
Chinese state-sponsored hackers, identified as Mustang Panda, have been caught using a stealthy technique to evade cybersecurity measures and maintain persistent access to infected systems. They leverage a legitimate Windows utility, Microsoft Application Virtualization Injector (MAVInject.exe), to inject malicious payloads into external processes. This tactic helps them bypass antivirus software and avoid detection.
A recent report reveals that the attack sequence starts with a dropper file named “IRSetup.exe,” which installs multiple components, including a lure document designed to target users in Thailand. Researchers suggest the attackers likely use spear-phishing emails to infect victims.
Once executed, the dropper launches a legitimate Electronic Arts (EA) application, “OriginLegacyCLI.exe,” which sideloads a compromised DLL file named “EACore.dll.” This modified file contains a version of the TONESHELL backdoor, a malware strain attributed to the hackers.
A crucial feature of the attack is its ability to detect whether ESET antivirus is running. If so, the malware executes “waitfor.exe” before using MAVInject.exe to run malicious code stealthily. This injection method allows the malware to operate undetected and establish a connection with a remote server, enabling data exfiltration, reverse shell access, and file manipulation.
How to Prevent This Attack
To mitigate the risk of such attacks, organizations should update their security tools regularly and monitor system processes for unusual activity. Disabling MAVInject.exe in environments where it is not required can limit its misuse. Implementing strict application whitelisting can prevent unauthorized programs from executing malicious commands.
Additionally, companies should train employees to recognize phishing attempts and avoid opening suspicious attachments. Regular security tests can help identify vulnerabilities before hackers exploit them, ensuring a proactive defense against evolving threats.
Sleep well, we got you covered.
