Mavinject.exe is a legitimate Microsoft utility that can be exploited by threat actors to inject malicious DLLs into processes, allowing for stealthy control over system behavior. Both the Earth Preta and Lazarus groups have employed this technique to bypass security mechanisms and execute their malicious payloads. Affected: Windows operating system, security solutions
Keypoints :
- Mavinject.exe is a legitimate tool in Windows 10 for injecting DLLs into App-V environments.
- Threat actors misuse mavinject.exe to execute malicious DLLs while masquerading as trusted applications.
- Common Windows APIs used by mavinject.exe include OpenProcess, VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.
- There are two primary DLL injection methods: /INJECTRUNNING and /HMODULE.
- The legitimacy of mavinject.exe complicates detection by security systems.
- Both Earth Preta and Lazarus groups have successfully utilized mavinject.exe in real-world attacks.
- Detection strategies include monitoring command executions and specific API call patterns.
- Response measures involve policy adjustments to block mavinject.exe when not necessary.
MITRE Techniques :
- T1218.011 – Signed Binary Proxy Execution: Mavinject.exe is used to execute a malicious DLL, disguising the activity as normal system behavior.
- T1055 – Process Injection: Mavinject.exe injects a DLL into the target process to execute payloads without triggering security alerts.
Indicator of Compromise :
- [File] mavinject.exe
- [File] EACore.dll
- [File] OriginLegacyCLI.exe
- [Process] waitfor.exe
- [Process] explorer.exe
Full Story: https://asec.ahnlab.com/en/87559/