Chinese nation-state group Mustang Panda is leveraging legitimate Microsoft tools to bypass security defenses, specifically ESET antivirus applications.
Researchers from recently Trend Micro highlighted the novel technique, which aims to maintain control over compromised systems to exfiltrate sensitive data.
Microsoft Application Virtualization Injector (MAVInject.exe) is used to inject Mustang Panda’s payload into waitfor.exe. This is a Windows utility that is used to send or wait for signals between networked computers. In this case, it is used to detect ESET tools.
This approach appears to be successful in bypassing ESET antivirus applications.
Mustang Panda also utilizes Setup Factory, an installer builder for Windows software, to drop and execute the payload. This use of legitimate tools helps them avoid detection and maintain persistence in compromised systems.
Mustang Panda, also known as Earth Preta, is an espionage group which primarily targets governments in the Asia Pacific region, including Taiwan, Vietnam and Malaysia. Trend Micro said the group has compromised over 200 victims since 2022.
Its favored initial access technique is phishing.
How the New Mustang Panda Campaign Works
The multi-pronged attack chain starts by using Windows file IRSetup.exe to drop multiple files into the victim’s ProgramData/session directory. These files are a mixture of legitimate executables and malicious components.
One of these files is a decoy PDF designed to target Thailand-based users, which asks for cooperation in creating a whitelist of phone numbers to aid in the development of an anti-crime platform. This is likely to try and distract the victim while the malicious payload is deployed in the background.
This decoy tactic has been previously observed by Mustang Panda.
Another of the dropped files is OriginLegacyCLI.exe, a legitimate Electronic Arts (EA) application. This is used to sideload EACore.dll, a modified variant of the Toneshell backdoor.
EACore.dll contains an export function which checks if either ekrn.exe or egui.exe are running on the machine. These processes are both associated with ESET antivirus applications. If either one is detected, the malware registers EACore.dll using regsvr32.exe to execute the DLLRegisterServer function.
The DLLRegisterServer export then executes the waitfor.exe utility, with MAVInject.exe used to execute malicious code into it whenever an ESET antivirus application detected.
MAVInject.exe is capable of proxy execution of malicious code by injecting to a running process as a means of bypassing detection.
The researchers believe the attackers may have tested the technique on machines that used ESET software prior to the campaign.
The Mustang Panda malware also implements an exception handler that executes when ESET applications are not found. In these instances, the malicious code is directly injected into waitfor.exe using WriteProcessMemory and CreateRemoteThreadEx APIs.
This allows the attack to proceed when ESET applications are not present.
No tags.
