The curious case of mavinject.exe
Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V). A signed Microsoft binary that can be abused for proxy execution of malicious DLLs in regular running processes is a defense evasion technique as listed by the MITRE ATT&CK framework. Mavinject is a LOLBIN currently employed by the infamous adversary group Lazarus successfully evades detection by various security products because the execution is masked under a legitimate process.
Originally discovered back in 2017, Mavinject can be used to load any DLL in a running process.
Process Injection using MavInject
Using the following command-line argument, Mavinject can be abused to inject a DLL inside an arbitrary running process:
MavInject.exe <PID> /INJECTRUNNING <PATH TO DLL>
A signed Windows Binary will take the malicious DLL and inject it in the target process.
By providing the process ID (PID) and DLL Path, we can inject into the target process:
calc.dll is loaded and executed through its
ENTRYPOINT inside the memory of our target
Alternate Data Streams
The DLL can also be injected while stored as an Alternate Data Stream (ADS) into the target process.
Going a step further: Looking under the hood
When executed with the default argument,
mavinject.exe /PID /INJECTRUNNING, it tries to look for the following registry key:
which hold the following values:
ValueName: Modules - ValueData: C:\Windows\System32\AppVEntSubsystems32.dll ValueName: Modules64 - ValueData: C:\Windows\System32\AppVEntSubsystems64.dll
And depending on the architecture, it injects one of the DLLs. However, if provided the DLL path as an argument, it will use that DLL for the process injection.
According to the analysis by SpecterOps, Mavinject makes use of the following injection-related Windows APIs used commonly by malware:
- VirtualProtectEx — Changes the protection on a region of committed pages in the virtual address space of a specified process
- CreateRemoteThread — causes a new thread of execution to begin in the address space of the specified process
- VirtualAllocEx — Reserves, commits, or changes the state of a region of memory within the virtual address space of a specified process. The function initializes the memory it allocates to zero
- WriteProcessMemory — copies the data from the specified buffer in the current process to the address range of the specified process
The Injection process follows:
Retrieve the handle of the target Process using OpenProcess WINAPI with the following access: SYNCHRONIZE | PROCESS_QUERY_INFORMATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD (Hex: 0x10043A)
Performs a call to VirtualAllocEx WINAPI to allocate a memory region within the target process (provided by PID) context, followed by a call to WriteProcessMemory WINAPI to write the DLL path to the target process.
Performs a call to CreateRemoteThread WINAPI, leading the target process to load the DLL into its memory using the LoadLibraryW WINAPI on the DLL path as mentioned earlier.
Detection and Mitigation
- mavinject.exe should not run unless APP-v is in use on the workstation
- Use application control configured to block execution of mavinject.exe if it is not required for a given system or network to prevent potential misuse by adversaries.
- Adversaries may rename abusable binaries to evade detections, but the argument
INJECTRUNNINGis required for mavinject.exe to perform Dynamic-link Library Injection and may therefore be monitored to alert malicious activity.
- Sigma Rules for Process Creation and Command line parameters: proc_inj and proc_create
FourCore ATTACK can simulate various Process Injection and Defensive techniques like MavInject and many others to validate your detections and response capabilities. Get an accurate idea about your security posture by assessing your Prevention, Detection, and Response capabilities on our Platform.