Cisco Talos Intelligence Group reported Fr. a new offensive campaign from the infamous cyber espionage actor Mustang Pandaalso known as Bronze President, RedDelta, HoneyMyte, TA416 or Red Lich with a special focus on Europe.
WATCH: Mobile security policy (TechRepublic Premium)
Who is the Mustang Panda?
This threat subject is focused on cyber espionage and comes from China. It has targeted companies and organizations around the world since at least 2012, including U.S. organizations. So far, it has been aimed at think tanks, NGOs and government agencies.
In March 2022 ESET has released a report on the Mustang Panda using a previously undocumented version of PlugX, the RAT malware that the threat subject has been using for many years, is spreading through phishing documents related to Ukraine’s war with Russia.
The initial compromise
The TTP of threat subjects (tactics, methods, and procedures) has not actually changed over time and consists of an initial infection caused by underwater phishing, followed by malware and side-by-side deployments.
In this new attack campaign, Mustang Panda sends emails containing PlugX malware (also known as KorPlug) disguised as a report by the Secretary General of the Council of the European Union (Figure A).
The situation between Ukraine and Russia was used by Mustang Panda in February and March 2022. The bait in late February was disguised as a report on the situation along Europe’s borders with Ukraine, and another in March was disguised as a report on the situation at the European border. borders with Belarus.
When it comes to targeting US organizations, Mustang Panda used similar topics of interest, such as “US Assistant Secretary of State’s visit to ASEAN.rar” in December 2021 or “Biden’s attitude to the situation in Myanmar.zip”, according to Talos.
Sent content is an archive file that contains a downloadable program that you receive online:
- Decoy PDF document. The document is of good quality and is intended only to legitimize the opening of the archive and to convey to the user content that does not arouse his suspicions.
- A benign executable file that loads a malicious payload through a file Sideload DLL
- A DLL file is a malicious payload that runs when you run a good-quality executable file.
- The final payload file that is PlugX RAT.
The infection stream consists of several steps after running the first executable file (Figure B).
PlugX RAT, also known as KorPlug, is a Mustang Panda malware. The threat actor has used his various variants for several years along with other threat subjects originating from China. This source code of malware has never been leaked publicly, and it seems to be used only by threat subjects from China.
However, at the end of March 2022, the chain of PlugX infection changed. The downloader now downloads the bait document from one URL and uses a different URL to download the high-quality executable file, DLL file, and final PlugX payload.
More malware infection
Mustang Panda also used a different infection technique, where this time the archive file sent by e-mail contains the executable file along with the accompanying DLL file, which is responsible for decoding the built-in shell code, which in turn loads and executes additional shellcode from IP address C2.
After infection, the implant will collect information from the infected machine and send it in encrypted form to the C2 server:
- Volume serial number
- Computer name
- Username and length
- Host hours
The shellcode then tries to connect to the C2 server to get additional shellcode to be executed on the infected machine.
Another malicious file used by the Mustang Panda is attached locally to the infected computer and listens for any incoming requests from the hard-coded IP address of the C2 server. Any shellcode received from this single IP address will be executed.
Mustang Panda also uses LNK files that contain a command to extract content from itself and execute it as a BAT file (Figure C).
The Mustang Panda also used Meter HTTP reverse payloads to load and execute other payloads.
Finally, at the end of February 2022, Mustang Panda used a previously undisclosed bait on Ukrainian issues entitled “Official statement of the National Security and Defense Council of Ukraine On the implementation of the Defense Plan of Ukraine and the Consolidated Plan of Territorial Defense of Ukraine.exe”, which can be roughly translated as National Security and Defense Council of Ukraine.exe “, reports Talos.
This new infection stream used a reverse shell TCP DLL-based DLL using the legitimate cmd.exe command line executable. The DLL copies itself and the executable file by running it in a folder, and adjusts the security using a scheduled task to ensure that the back shell is run once a minute.
An actor of threat who is constantly evolving
Although the Mustang Panda has for many years actively used PlugX / KorPlug malware through a variety of variants, it has constantly updated and modified intermediate payload deliveries using various staders, scripts, reverse shells, and LNK files.
How to protect yourself from this threat
The methods used by Mustang Panda to establish an initial foothold in the target system always consist of sending emails with deception.
Therefore, it is recommended to apply security measures to all incoming emails that arrive on your company’s mail server:
- Deploy email analysis tools that focus on attachments as well as links in emails.
- Check each attached file for malware. It is recommended that, in addition to the usual detection of malware signatures, include attached files in the sandbox with behavior detection.
- Systematically analyze all archive files sent by e-mail that contain executable files.
Disclosure: I work at Trend Micro, but the opinions expressed in this article belong to me.