Legitimate Windows Tool Abused: mavinject.exe Used for Stealthy DLL Injection by Threat Actors

AhnLab Security Emergency Response Center (ASEC) has reported on the abuse of a legitimate Microsoft utility, mavinject.exe, by threat actors to inject malicious DLL payloads into legitimate processes. This technique allows attackers to bypass security measures and conceal their malicious activities.

Mavinject.exe is a legitimate command-line utility provided by Microsoft. It is designed to inject Dynamic Link Libraries (DLLs) into specific processes within an Application Virtualization (App-V) environment. This utility has been a default component of Windows operating systems since Windows 10 version 1607 and is a trusted executable file signed by Microsoft. Consequently, many security solutions tend to consider mavinject.exe a safe application.

“Threat actors exploit this vulnerability to inject a malicious DLL payload into a legitimate process using mavinject.exe,” notes ASEC in their detailed breakdown.

Attackers exploit the legitimate functionality of mavinject.exe to inject malicious DLLs into benign processes. The report outlines the following key Windows APIs that mavinject.exe utilizes during this process:

• OpenProcess: Retrieves a handle to the target process.
• VirtualAllocEx: Allocates memory within the target process’s virtual memory space.
• WriteProcessMemory: Writes the DLL path to the allocated memory.
• CreateRemoteThread: Creates a new thread in the target process and calls the LoadLibraryW function to load and execute the malicious DLL.

By using mavinject.exe, attackers can achieve external code execution and evade detection.

The ASEC report provides examples of how threat actors have used mavinject.exe in real-world attacks:

• Earth Preta (Mustang Panda): This APT group has been observed using mavinject.exe to inject malicious DLLs, such as a backdoor, into legitimate processes like waitfor.exe.
• Lazarus Group: This threat group has also employed mavinject.exe to inject malicious DLLs into explorer.exe.

In both cases, the attackers leveraged the fact that mavinject.exe is a legitimate Microsoft utility to bypass security solutions and conceal their malicious activities.

The ASEC report suggests the following detection and response measures:

• Detection:
  • Monitor command-line execution of mavinject.exe with specific arguments (/INJECTRUNNING, /HMODULE).
  • Monitor API calls like OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.
  • Trace the LoadLibraryW call path for anomalies.
• Response:
  • Implement policies to block mavinject.exe execution when the App-V feature is not in use.
  • Establish rules to detect inter-process DLL injection.
  • Regularly check for abnormal DLL loading history in normal processes.

Related Posts:

• Beware of “How to Fix” Button: New Phishing Emails Trick Users into Executing Malicious Commands
• Vulnerable Microsoft SQL Server are being targeted by hackers
• North Korean Hackers Exploit Old Office Flaw to Deploy Keylogger
• Hackers Exploit Google Ads to Spread Malware Disguised as Popular Software
• Beware of Search Results: Hackers Using Fake Websites to Spread Malware