Chinese nation-state group Mustang Panda is leveraging legitimate Microsoft tools to bypass security defenses, specifically ESET antivirus applications.
Researchers from recently Trend Micro highlighted the novel technique, which aims to maintain control over compromised systems to exfiltrate sensitive data.
Microsoft Application Virtualization Injector (MAVInject.exe) is used to inject Mustang Panda’s payload into waitfor.exe. This is a Windows utility that is used to send or wait for signals between networked computers. In this case, it is used to detect ESET tools.
This approach appears to be successful in bypassing ESET antivirus applications.
Mustang Panda also utilizes Setup Factory, an installer builder for Windows software, to drop and execute the payload. This use of legitimate tools helps them avoid detection and maintain persistence in compromised systems.
Mustang Panda, also known as Earth Preta, is an espionage group which primarily targets governments in the Asia Pacific region, including Taiwan, Vietnam and Malaysia. Trend Micro said the group has compromised over 200 victims since 2022.
Its favored initial access technique is phishing.
How the New Mustang Panda Campaign Works
The multi-pronged attack chain starts by using Windows file IRSetup.exe to drop multiple files into the victim’s ProgramData/session directory. These files are a mixture of legitimate executables and malicious components.
One of these files is a decoy PDF designed to target Thailand-based users, which asks for cooperation in creating a whitelist of phone numbers to aid in the development of an anti-crime platform. This is likely to try and distract the victim while the malicious payload is deployed in the background.
This decoy tactic has been previously observed by Mustang Panda.
Another of the dropped files is OriginLegacyCLI.exe, a legitimate Electronic Arts (EA) application. This is used to sideload EACore.dll, a modified variant of the Toneshell backdoor.
EACore.dll contains an export function which checks if either ekrn.exe or egui.exe are running on the machine. These processes are both associated with ESET antivirus applications. If either one is detected, the malware registers EACore.dll using regsvr32.exe to execute the DLLRegisterServer function.
The DLLRegisterServer export then executes the waitfor.exe utility, with MAVInject.exe used to execute malicious code into it whenever an ESET antivirus application detected.
MAVInject.exe is capable of proxy execution of malicious code by injecting to a running process as a means of bypassing detection.
The researchers believe the attackers may have tested the technique on machines that used ESET software prior to the campaign.
The Mustang Panda malware also implements an exception handler that executes when ESET applications are not found. In these instances, the malicious code is directly injected into waitfor.exe using WriteProcessMemory and CreateRemoteThreadEx APIs.
This allows the attack to proceed when ESET applications are not present.
To communicate with the command and control (C2) server, the malware decrypts a shellcode stored in the .data section which contains the functions to send and receive messages with the server.
Attackers Complicate Detection Efforts
The researchers said that the new campaign demonstrates Mustang Panda’s abilities to continuously evolve their evasion techniques.
The use of legitimate Microsoft applications like MAVInject.exe and Setup factory further complicate detection efforts.
“Organizations should be vigilant about enhancing their monitoring capabilities, focusing on identifying unusual activities in legitimate processes and executable files, to stay ahead of the evolving tactics,” the Trend Micro researchers wrote.
Sophos’ December 2024 Active Adversary Report found a 51% increase in threat actors’ abuse of legitimate Microsoft tools to gain stealth on networks. The report noted that system administrators must understand how such tools are used in their environments and what constitutes abuse in order to detect suspicious activity.
Infosecurity reached out to ESET but the firm said it would not be commenting on Trend Micro’s findings.
