Listen to this Post
In the world of cybersecurity, threat actors are constantly evolving their strategies to evade detection. One such sophisticated group, known as Mustang Panda, has been observed using innovative methods to maintain control over compromised systems. In a new report, Trend Micro has unveiled how this Chinese state-sponsored hacker group is leveraging legitimate software tools to circumvent antivirus defenses and carry out malicious operations without raising alarms. This article examines the group’s latest tactics and explores the underlying technology behind their attacks.
the Attack:
Mustang
The attackers deploy a mix of legitimate executables and malicious components as part of their attack, including a decoy PDF to distract victims. The malware is dropped using Setup Factory, a software installer builder, to avoid detection and ensure persistence on infected systems.
The attack is set in motion by an executable called IRSetup.exe, which functions as a dropper for several files. Among these files is a lure document designed to target Thai users, suggesting that the attackers might have used spear-phishing emails to specifically target victims.
Next, the malware executes a legitimate Electronic Arts (EA) application, OriginLegacyCLI.exe, to load a rogue DLL named EACore.dll—a modified version of the TONESHELL backdoor. The backdoor is primarily designed to check if processes associated with ESET antivirus, such as ekrn.exe or egui.exe, are running on the compromised system. If ESET processes are detected, the malware uses MAVInject.exe to bypass antivirus detection and continue executing undetected.
Once injected, the malware decrypts embedded shellcode to connect to a remote server (www.militarytc[.]com:443). This server facilitates the establishment of a reverse shell, allowing the attackers to move, delete, or exfiltrate files from the compromised system.
What Undercode Say:
The tactics employed by Mustang Panda underscore the growing sophistication of state-sponsored cyberattacks. The group has clearly invested significant resources into developing methods to bypass advanced security measures, such as antivirus software. The use of MAVInject.exe to inject malicious code into processes while evading detection is an alarming sign of the increasing complexity of modern malware.
One key element in this attack sequence is the use of legitimate software tools, which is a clever technique for avoiding suspicion. Tools like MAVInject.exe and OriginLegacyCLI.exe are commonly trusted by operating systems and security software. This makes it far more difficult for defenders to spot malicious activity, as legitimate programs are being co-opted for harmful purposes. By using these trusted tools to carry out the attack, Mustang Panda is able to move with near impunity, evading common detection techniques that rely on identifying purely malicious executables.
The choice of Setup Factory for dropping the payload also reflects an intelligent evasion strategy. The software installer builder is a legitimate tool used by many developers, so its use to deploy malicious files is unlikely to raise any red flags for most antivirus programs. This highlights the importance of threat actors blending their operations within the normal behaviors of computer systems.
Another noteworthy aspect of the attack is its targeted nature. The use of a lure PDF and the choice to focus on Thailand-based users suggest a well-planned spear-phishing campaign, designed to maximize the chances of success by exploiting specific vulnerabilities in the target’s environment. Spear-phishing remains one of the most effective techniques for infiltrating a network, as it preys on human error rather than relying solely on technical vulnerabilities.
The TONESHELL backdoor used in this attack is a particularly dangerous tool. Its primary function is to establish a reverse shell, allowing the attackers to gain full control of the infected system. This ability is crucial for the attackers, as it enables them to exfiltrate data, move files, and even delete or modify critical system information without alerting the victim. The remote command-and-control server serves as the central hub for coordinating these actions, allowing the attackers to remain in control of the compromised environment for extended periods.
While MAVInject.exe helps the attackers evade detection by antivirus programs like ESET, the malware’s communication with the remote server is another key indicator of its malicious nature. The server facilitates not just data exfiltration, but also the ability to issue commands to compromised systems, making it an essential tool for maintaining ongoing control over the attack.
In conclusion, the techniques employed by Mustang Panda reflect a broader trend in cyberattacks: the increasing use of legitimate software for malicious purposes. By blending in with trusted processes and tools, these threat actors are able to bypass traditional detection methods and carry out long-term, sustained attacks. This underscores the need for advanced security measures that go beyond signature-based detection to include behavior analysis, anomaly detection, and other advanced methods of identifying malicious activity. Security researchers and IT professionals must remain vigilant against these evolving threats, as the boundaries between legitimate and malicious software continue to blur.
References:
Reported By: https://thehackernews.com/2025/02/chinese-hackers-exploit-mavinjectexe-to.html
https://www.digitaltrends.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
