Cisco Talos Intelligence Group reported a new assault marketing campaign from the notorious cyberespionage risk actor Mustang Panda, also referred to as Bronze President, RedDelta, HoneyMyte, TA416 or Purple Lich with a specific give attention to Europe.
SEE: Cell system safety coverage (TechRepublic Premium)
Who’s Mustang Panda?
This risk actor focuses on cyberespionage and originates from China. It has focused corporations and organizations worldwide since at the very least 2012, together with American entities. To this point, it has focused suppose tanks, NGOs and governmental entities.
In March 2022, ESET revealed a report about Mustang Panda utilizing a beforehand undocumented PlugX variant, a RAT malware the risk actor has been utilizing for a few years already, unfold by phishing paperwork associated to the battle between Ukraine and Russia.
The preliminary compromise
The risk actors’ TTP (ways, strategies and procedures) has probably not modified over time and consists of an preliminary an infection triggered by spearphishing, adopted by malware deployment and lateral actions.
On this new assault marketing campaign, Mustang Panda sends spearphishing emails containing a PlugX (also referred to as KorPlug) malware variant that disguises itself as a report from the Basic Secretary of the Council of the European Union (Determine A).
The state of affairs between Ukraine and Russia has been utilized by Mustang Panda in February and March 2022. A lure from the top of February was disguised as a state of affairs report alongside European borders with Ukraine, whereas one other one in March was disguised as a state of affairs report alongside European borders with Belarus.
With regards to concentrating on U.S. entities, Mustang Panda used overlapping matters of curiosity like “U.S. Asst Secretary of State Go to to ASEAN Nations.rar” in December 2021, or “Biden’s angle in the direction of the state of affairs in Myanmar.zip” in accordance with Talos.
The spearphishing content material despatched consists of an archive file which accommodates a downloader that fetches on-line:
- A Decoy PDF doc. The doc is benign and is barely there to official the opening of the archive and convey content material to the consumer that won’t increase his or her suspicion.
- A benign executable file that hundreds a malicious payload by way of the DLL sideloading
- A DLL file being the malicious payload triggered when launching the benign executable file.
- The ultimate payload file, which is the PlugX RAT.
The an infection circulate consists of some steps as soon as the primary executable is launched (Determine B).
The PlugX RAT, also referred to as KorPlug, is Mustang Panda’s malware of selection. The risk actor has used completely different variants of it for a number of years, along with different risk actors originating from China. This malwares supply code has by no means leaked publicly, and it appears it’s only utilized by China-originating risk actors.
On the finish of March 2022, the PlugX an infection chain modified although. The downloader now downloads the decoy doc from one URL and makes use of one other URL to obtain the benign executable file, the DLL file and the ultimate PlugX payload.
Extra malware infections
Mustang Panda has additionally used one other infecting method, the place this time an archive file despatched by spearphishing e mail accommodates an executable file along with an accompanying DLL file answerable for decoding an embedded shellcode, which in flip downloads and executes further shellcode from a C2 IP handle.
After an infection is completed, an implant will gather info from the contaminated machine and ship it encrypted to the C2 server:
- Quantity serial quantity
- Pc identify
- Person identify and size
- Hosts uptime
The shellcode then makes an attempt to connect with the C2 server to retrieve further shellcode that can be executed on the contaminated machine.
One other malicious file utilized by Mustang Panda binds itself domestically to the contaminated pc and listens for any incoming requests from a hardcoded C2 server IP handle. Any shellcode obtained from that single IP handle can be executed.
Mustang Panda additionally makes use of LNK information containing a command to extract content material from itself and execute it as a BAT file (Determine C).
Mustang Panda has additionally used Meterpreter reverse-HTTP payloads to obtain and execute different payloads.
Lastly, in late February 2022, Mustang Panda has used a beforehand undisclosed Ukrainian-themed lure entitled “Офіційна заява Апарату РНБО УкраїниПро введення в дію плану оборони України та Зведеного плану територіальної оброни України.exe”, which might be roughly translated to “official assertion from the Nationwide Safety and Protection Council of Ukraine.exe” in accordance with Talos.
This new an infection circulate used a TCP protocol-based reverse shell DLL utilizing the official cmd.exe command-line executable. The DLL copies itself and the executable launching it right into a folder and units up persistence by way of a scheduled activity to make sure the reverse shell runs as soon as a minute.
A always evolving risk actor
Whereas Mustang Panda has made heavy use of the PlugX/KorPlug malware by the years, by completely different variants, it has always up to date and altered the intermediate payload deliveries with completely different stagers, scripts, reverse shells and LNK information.
The way to shield from this risk
The strategies utilized by Mustang Panda to set an preliminary foothold within the focused system at all times encompass sending spearphishing emails.
Due to this fact, it’s suggested to deploy safety measures on all incoming emails hitting your organization’s mail server:
- Deploy e mail evaluation instruments that concentrate on connected information but additionally on hyperlinks inside emails.
- Examine each connected file for malware. It’s suggested to have the connected information run right into a sandbox system with behavioral detection, along with regular malware signature detection.
- Systematically analyze all archive information despatched by e mail which comprise executable information.
Disclosure: I work for Development Micro, however the views expressed on this article are mine.