Chinese state actor threats known as Mustang Panda It has been noted that a new technique is used to eliminate and maintain control of infected systems.
This involves the use of legitimate Microsoft Windows Utilities called Microsoft Application Virtualization Injector (Mavinject.exe) to introduce a harmful useful load of the actor into external process, waitfor.exe, every time the use of the ESET anti -virus is discovered – Note In a new analysis.
“The attack includes a refusal of several files, including legitimate executable files and malicious components, as well as deploying PDF baits to distract the victim,” said security researchers Natanie Morales and Nick.
“In addition, Earth Preta uses installation, Windows software builder to reset and perform a useful load; this allows them to avoid the detection and preservation of sustainability in compromised systems.”
The starting point of the sequence of the attack is the executable file (“Irsetup.exe”), which serves as a dropper for multiple files, including the bait document designed to orient users based on Thailand. This hints at the likelihood that the attacks may have been linked to the use of phisching sheets to nominate victims.
Then the binary reception before the legitimate application of Electronic Arts (“EA) Tone The back is attributed to the hacking crew.
Core. Then use “Mavinject.exe” to run malicious software without tagging it.
“Mavinject.exe, which is capable of proxy -recovery by introducing the process of launching as a means of bypassing ESET detection, is used to introduce malicious code,” the researchers explained. “It is possible that Earth Preta used Mavinject.exe after checking their attack on machines that used ESET software.”
The malicious software ultimately deciphered the built -in Shellcode, which allows it to install connections with a remote server (“www.militarytc (.) Com: 443”) to obtain commands to install a backbone, file movement and deleting files.
“Earth’s malicious software, Backdoor Toneshell option, uploaded by the legal electronic art and communicate with the team server and control for data exports,” the researchers said.
