Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks

This involves the use of a legitimate Microsoft Windows utility called Microsoft Application Virtualization Injector (MAVInject.exe) to inject the threat actor's malicious payload into an external process, waitfor.exe, whenever ESET antivirus application is detected running, Trend Micro said in a new analysis.

"The attack involves dropping multiple files, including legitimate executables and malicious components, and deploying a decoy PDF to distract the victim," security researchers Nathaniel Morales and Nick Dai noted.

"Additionally, Earth Preta utilizes Setup Factory, an installer builder for Windows software, to drop and execute the payload; this enables them to evade detection and maintain persistence in compromised systems."

The starting point of the attack sequence is an executable ("IRSetup.exe") that serves as a dropper for several files, including the lure document that's designed to target Thailand-based users. This alludes to the possibility that the attacks may have involved the use of spear-phishing emails to single out victims.

The binary then proceeds to execute a legitimate Electronic Arts (EA) application ("OriginLegacyCLI.exe") to sideload a rogue DLL named "EACore.dll" that's a modified version of the TONESHELL backdoor attributed to the hacking crew.

Core the malware's function is a check to determine if two processes associated with ESET antivirus applications -- "ekrn.exe" or "egui.exe" -- are running on the compromised host, and if so, execute "waitfor.exe" and then use "MAVInject.exe" in order to run the malware without getting flagged by it.

"Waitfor.exe" is a native Windows utility that takes care of synchronizing processes between one or more networked machines by sending or waiting for a signal or command.

"MAVInject.exe, which is capable of proxy execution of malicious code by injecting to a running process as a means of bypassing ESET detection, is then used to inject the malicious code into it," the researchers explained. "It is possible that Earth Preta used MAVInject.exe after testing the execution of their attack on machines that used ESET software."

The malware ultimately decrypts the embedded shellcode that allows it to establish connections with a remote server ("www.militarytc[.]com:443") to receive commands for establishing a reverse shell, moving files, and deleting files.

"Earth Preta's malware, a variant of the TONESHELL backdoor, is sideloaded with a legitimate Electronic Arts application and communicates with a command-and-control server for data exfiltration," the researchers said.

Update#

Following the publication of the story, ESET shared the below statement with The Hacker News -

At 15:30 CET, February 18, 2025, ESET communications teams were made aware of a research blog published by Trend Micro that names ESET "antivirus application" as the target of APT Group Mustang Panda a.k.a. Earth Preta.

We disagree with the published findings that this attack "effectively bypasses ESET antivirus". This is not a bypass and we are bemused that Trend Micro did not alert ESET to discuss their findings.

The reported technique is not novel and ESET technology has been protecting against it for many years. Regarding this specific sample of malware, ESET had previously published details about it through its premium Cyber Threat Intelligence service and added specific detection since January. We have attributed the threat to the China-aligned CeranaKeeper APT Group. ESET users are protected against this malware and technique.