The Chinese APT group "Mustang Panda," also known as Earth Preta, has been abusing Microsoft's Application Virtualization Injector (MAVInject.exe) to inject malware into legitimate processes and evade antivirus detection.
Trend Micro researchers have tracked over 200 victims since 2022, primarily targeting government agencies in the Asia-Pacific region through spear-phishing emails disguised as official communications.
When victims execute the malicious attachment, it drops multiple files, including malware components, into the system while displaying a decoy PDF to avoid suspicion.
To bypass ESET antivirus software, Mustang Panda leverages MAVInject.exe to inject a modified version of the TONESHELL backdoor into "waitfor.exe," a trusted Windows utility, making detection more difficult.
Once active, the malware connects to a command-and-control server, sending system details and victim IDs while also allowing remote execution of commands and file manipulations.
This technique was previously highlighted by cybersecurity firm FourCore in 2022, warning that MAVInject.exe could be misused as a LOLBIN and should be blocked if APP-V is not in use.
Trend Micro attributes this new malware variant to Mustang Panda with medium confidence based on its functional similarities to previously analyzed attacks.
Logging you in...
Loading IntenseDebate Comments...