The curious case of mavinject.exe

Written by Hardik Manocha
Co-founder @ FourCore
mavinject process injection

Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V). A signed Microsoft binary that can be abused for proxy execution of malicious DLLs in regular running processes is a defense evasion technique as listed by the MITRE ATT&CK framework. Mavinject is a LOLBIN currently employed by the infamous adversary group Lazarus successfully evades detection by various security products because the execution is masked under a legitimate process.

Mavinject injection to explorer, as captured by Alien Labs
MavInject Injection found in Lazarus Payloads

Originally discovered back in 2017, Mavinject can be used to load any DLL in a running process.

Process Injection using MavInject

Using the following command-line argument, Mavinject can be abused to inject a DLL inside an arbitrary running process:

1MavInject.exe <PID> /INJECTRUNNING <PATH TO DLL>

A signed Windows Binary will take the malicious DLL and inject it in the target process.

Signed Windows Binary
MavInject.exe signed by Microsoft Corp

By providing the process ID (PID) and DLL Path, we can inject into the target process:

Command Line Parameters
Command Line Parameters

The calc.dll is loaded and executed through its ENTRYPOINT inside the memory of our target EXCEL process.

Process Explorer
Calc.dll present in Excel Memory

Alternate Data Streams

The DLL can also be injected while stored as an Alternate Data Stream (ADS) into the target process.

Alternare Data Stream Injection
Injection through DLL stored in ADS

Going a step further: Looking under the hood

When executed with the default argument, mavinject.exe /PID /INJECTRUNNING, it tries to look for the following registry key: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Subsystem which hold the following values:

1ValueName: Modules - ValueData: C:\Windows\System32\AppVEntSubsystems32.dll
2ValueName: Modules64 - ValueData: C:\Windows\System32\AppVEntSubsystems64.dll

And depending on the architecture, it injects one of the DLLs. However, if provided the DLL path as an argument, it will use that DLL for the process injection.

Registry Keys
Default behaviour

According to the analysis by SpecterOps, Mavinject makes use of the following injection-related Windows APIs used commonly by malware:

  • VirtualProtectEx — Changes the protection on a region of committed pages in the virtual address space of a specified process
  • CreateRemoteThread — causes a new thread of execution to begin in the address space of the specified process
  • VirtualAllocEx — Reserves, commits, or changes the state of a region of memory within the virtual address space of a specified process. The function initializes the memory it allocates to zero
  • WriteProcessMemory — copies the data from the specified buffer in the current process to the address range of the specified process

The Injection process follows:

  1. Retrieve the handle of the target Process using OpenProcess WINAPI with the following access: SYNCHRONIZE | PROCESS_QUERY_INFORMATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD (Hex: 0x10043A)

  2. Performs a call to VirtualAllocEx WINAPI to allocate a memory region within the target process (provided by PID) context, followed by a call to WriteProcessMemory WINAPI to write the DLL path to the target process.

  3. Performs a call to CreateRemoteThread WINAPI, leading the target process to load the DLL into its memory using the LoadLibraryW WINAPI on the DLL path as mentioned earlier.

Detection and Mitigation

  • mavinject.exe should not run unless APP-v is in use on the workstation
  • Use application control configured to block execution of mavinject.exe if it is not required for a given system or network to prevent potential misuse by adversaries.
  • Adversaries may rename abusable binaries to evade detections, but the argument INJECTRUNNING is required for mavinject.exe to perform Dynamic-link Library Injection and may therefore be monitored to alert malicious activity.
  • Sigma Rules for Process Creation and Command line parameters: proc_inj and proc_create

FourCore ATTACK can simulate various Process Injection and Defensive techniques like MavInject and many others to validate your detections and response capabilities. Get an accurate idea about your security posture by assessing your Prevention, Detection, and Response capabilities on our Platform.

References