Summary:
Mustang Panda, a Chinese APT group also tracked as Earth Preta, has been observed abusing Microsoft’s Application Virtualization Injector as a LOLBIN to stealthily inject malicious payloads into legitimate Windows processes, evading antivirus detection. This technique, identified by Trend Micro researchers, has been linked to over 200 confirmed victims since 2022, primarily targeting government entities across the Asia-Pacific region. The group's attack chain relies on spear-phishing emails impersonating government agencies, NGOs, think tanks, or law enforcement bodies. These emails contain a malicious attachment that, when executed, delivers the dropper file, a Setup Factory installer. Upon execution, it drops multiple files, including legitimate system executables, malware components, and a decoy PDF to create a false sense of legitimacy.


Mustang Panda employs advanced evasion techniques when compromising systems equipped with ESET antivirus products. The group exploits MAVInject.exe, a legitimate Windows utility typically used for application virtualization, to inject a modified version of the TONESHELL backdoor into waitfor.exe—a built-in Windows tool used for synchronizing processes. By leveraging this trusted system process, the malware avoids detection, as waitfor.exe appears as a normal Windows process. Once injected, the malware establishes communication with its command-and-control server, exfiltrating system information and victim identifiers. Additionally, it provides attackers with a reverse shell, enabling remote command execution and file manipulation.


Security Officer Comments:
Trend Micro analysts assess with medium confidence that this new malware variant is a custom Mustang Panda tool, citing similarities in functional characteristics and previously documented packet decryption mechanisms. However, ESET has publicly challenged these findings, asserting that their technology has been protecting against this technique for years. ESET clarified that the reported method does not effectively bypass their antivirus defenses and criticized Trend Micro for not engaging in prior discussions before publishing their research. Furthermore, ESET attributes the malware to the China-aligned CeranaKeeper APT group rather than Mustang Panda, stating that they had already detected and blocked the threat since January through their Cyber Threat Intelligence service.


Suggested Corrections:


Organizations can make APT groups’ lives more difficult. Here’s how:

• Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
• Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
• Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
• Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

Link(s):
https://www.bleepingcomputer.com/ne...buse-microsoft-app-v-tool-to-evade-antivirus/

https://www.trendmicro.com/en_us/re...licious-components-to-sidestep-detection.html