BleepingComputer reports that attacks exploiting the Microsoft Application Virtualization Injector tool to facilitate covert malware compromise have been conducted by Chinese advanced persistent threat operation Mustang Panda, also known as Earth Preta, against Asia-Pacific government organizations.
Mustang Panda commences intrusions with the delivery of spear-phishing emails with a malicious attachment that deploys malware components and legitimate files, as well as a PDF lure, according to an analysis from Trend Micro. Attackers then proceed with abusing MAVInject.exe as a LOLBIN to compromise the Windows utility waitfor.exe with malicious payloads, including an updated TONESHELL backdoor, while evading ESET antivirus products. Such findings suggesting antivirus bypass have been dismissed by ESET, which expressed puzzlement upon the lack of any discussions from Trend Micro. "The reported technique is not novel and ESET technology has been protecting against it for many years," said the firm, which also noted the attack to be associated with the Chinese APT operation CeranaKeeper.
