Chinese hackers abuse Microsoft APP-v tool to evade antivirus – BleepingComputer
New WinRAR version strips Windows metadata to increase privacyPhishing attack hides JavaScript using invisible Unicode trickRussian phishing campaigns exploit Signal’s device-linking featurePalo Alto Networks tags new firewall bug as exploited in attacksCISA and FBI: Ghost ransomware breached orgs in 70 countriesPhishing attack hides JavaScript using invisible Unicode trickDesktop access is possible anywhere with this AnyViewer deal, now $60New FrigidStealer infostealer infects Macs via fake browser updatesHow to access the Dark Web using the Tor BrowserHow to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11How to use the Windows Registry EditorHow to backup and restore the Windows RegistryHow to start Windows in Safe ModeHow to remove a Trojan, Virus, Worm, or other MalwareHow to show hidden files in Windows 7How to see hidden files in WindowsRemove the Theonlinesearch.com Search RedirectRemove the Smartwebfinder.com Search RedirectHow to remove the PBlock+ adware browser extensionRemove the Toksearches.xyz Search RedirectRemove Security Tool and SecurityTool (Uninstall Guide)How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundoHow to remove Antivirus 2009 (Uninstall Instructions)How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKillerLocky Ransomware Information, Help Guide, and FAQCryptoLocker Ransomware Information Guide and FAQCryptorBit and HowDecrypt Information Guide and FAQCryptoDefense and How_Decrypt Ransomware Information Guide and FAQQualys BrowserCheckSTOPDecrypterAuroraDecrypterFilesLockerDecrypterAdwCleanerComboFixRKillJunkware Removal TooleLearningIT Certification CoursesGear + GadgetsSecurityBest VPNsHow to change IP addressAccess the dark web safelyBest VPN for YouTubeUpdate 2/18/25: Added ESET’s statement to the end of the article.The Chinese APT hacking group “Mustang Panda” has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software.This technique was discovered by threat researchers at Trend Micro, who track the threat group as Earth Preta, reporting that they have verified over 200 victims since 2022.Mustang Panda’s targeting scope, based on Trend Micro’s visibility, includes government entities in the Asia-Pacific region, while the primary attack method is spear-phishing emails that appear to come from government agencies, NGOs, think tanks, or law enforcement.The threat group was previously seen in attacks targeting governments worldwide using Google Drive for malware distribution, custom evasive backdoors, and a worm-based attack chain.The emails spotted by Trend Micro contain a malicious attachment containing the dropper file (IRSetup.exe), a Setup Factory installer.If executed by the victim, it will drop multiple files into C:\ProgramData\session, including legitimate files, the malware components, and a decoy PDF to serve as a diversion.When ESET antivirus products are detected (ekrn.exe or egui.exe) on a compromised machine, Mustang Panda employs a unique evasion mechanism exploiting tools pre-installed on Windows 10 and later.The abuse starts with the Microsoft Application Virtualization Injector (MAVInject.exe), a legitimate Windows system tool that allows the operating system to inject code into running processes.It’s mainly used by Microsoft’s Application Virtualization (App-V) to run virtualized applications, but developers and admins can also use it to execute DLLs inside another process for testing or automation.In 2022, cybersecurity firm FourCore reported that MAVInject.exe could be abused as a LOLBIN, warning that the executable should be blocked on devices not utilizing APP-v.Mustang Panda abuses the executable to inject malicious payloads into ‘waitfor.exe,’ a legitimate Windows utility that comes pre-installed in Windows operating systems.The legitimate function of waitfor.exe on Windows is to synchronize processes across multiple machines by waiting for a signal or command before executing a specific action.It is primarily used in batch scripting and automation for delaying tasks or ensuring that specific processes finish before others start.Being a trusted system process, the malware that is injected in it passes as a normal Windows process, so ESET, and potentially other antivirus tools, does not flag the malware’s execution.The malware injected into waitfor.exe is a modified version of the TONESHELL backdoor, which comes hidden inside a DLL file (EACore.dll).Once running, the malware connects to its command and control server at militarytc[.]com:443, and sends system info and victim ID.The malware also provides attackers with a reverse shell for remote command execution and file operations, such as move and delete.Trend Micro believes with medium confidence that this new variant is a custom Mustang Panda tool based on its functional characteristics and previously documented packet decryption mechanisms.Update 2/18/25: ESET disagrees with Trend Micro’s findings, sharing the following statement with BleepingComputer:“ESET communications teams were made aware of a research blog published by Trend Micro that names ESET “antivirus application” as the target of APT Group Mustang Panda a.k.a. Earth Preta,” ESET told BleepingComputer.”We disagree with the published findings that this attack “effectively bypasses ESET antivirus”. This is not a bypass and we are bemused that Trend Micro did not alert ESET to discuss their findings.””The reported technique is not novel and ESET technology has been protecting against it for many years. Regarding this specific sample of malware, ESET had previously published details about it through its premium Cyber Threat Intelligence service and added specific detection since January. We have attributed the threat to the China-aligned CeranaKeeper APT Group. ESET users are protected against this malware and technique.” FBI deletes Chinese PlugX malware from thousands of US computersPhishing attack hides JavaScript using invisible Unicode trickNew WinRAR version strips Windows metadata to increase privacyMicrosoft reminds admins to prepare for WSUS driver sync deprecationMicrosoft to remove the Location History feature in WindowsNot a member yet? Register NowGoogle Chrome’s AI-powered security feature rolls out to everyoneNew OpenSSH flaws expose SSH servers to MiTM and DoS attacksChase will soon block Zelle payments to sellers on social media5 Browser Security Threats Overlooked by Security Tools. Get the Free ReportGet the GOAT Guide to learn how to start validating, start defending, and start winning.RDP Security Simplified – No VPN, No Firewall Exposure. Get a free TruGrid business trial.Get the GOAT Guide to learn how to start validating, start defending, and start winning.Request your complimentary data risk assessment for AWSTerms of Use – Privacy Policy – Ethics Statement – Affiliate DisclosureCopyright @ 2003 – 2025 Bleeping Computer® LLC – All Rights ReservedNot a member yet? Register NowRead our posting guidelinese to learn what content is prohibited.
