A cyberespionage group whose focusing on has traditionally been aligned with China’s geopolitical pursuits has been focusing on European and Russian entities utilizing topical spear-phishing lures linked to the battle in Ukraine.
The group, tracked as Mustang Panda, RedDelta, Bronze President or TA416 by completely different cybersecurity companies, has been lively since no less than 2012 and through the years has focused organizations in EU member states, the United States and Asian international locations the place China has pursuits. The targets have included diplomatic entities, assume tanks, non-governmental organizations (NGOs), non secular organizations, telecommunication corporations, and political activists.
The group is thought for crafting its phishing lures based mostly on present occasions that is likely to be of curiosity to its targets. These have included the COVID-19 pandemic, worldwide summits, and political matters. Recent assault campaigns noticed this yr by researchers from Cisco Talos and several other different safety companies used experiences from EU establishments in regards to the safety scenario in Europe each earlier than and after Russia’s invasion of Ukraine.
According to a brand new report from Cisco Talos, in January the group used a lure doc with conclusions from the Council of the European Union on the European safety scenario. After Russia invaded Ukraine on the finish of February, the group switched lures to European Commission experiences on the safety scenario on the border with Ukraine and later Belarus.
The researchers additionally noticed Mustang Panda distributing a malicious file with a Russian identify referencing the Blagoveshchensk Border Guard Detachment. Blagoveshchensk is a metropolis near Russia’s border with China and is residence to Russia’s 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This lure suggests the group was probably focusing on Russian-speaking officers or organizations with data of the nation’s navy.
How Mustang Panda operates
Mustang Panda’s most used malicious implant is a Trojan program referred to as PlugX and this continues to stay the group’s most well-liked spying software. However, the methods during which it has been delivered and loaded on methods have developed over time.
The assaults noticed this yr have primarily used a malicious downloader wrapped inside an archive. When unpacked and executed on a system, this downloader drops a number of elements.
First, it opens the legit doc anticipated by the goal as a decoy. In the background it launches a benign executable whose solely aim is to deploy a malicious DLL utilizing DLL sideloading. DLL sideloading, also referred to as DLL search order hijacking, is a method that depends on attackers planting a DLL file in a location and with a selected identify that is anticipated by a legit software or service with the aim of the applying loading it in reminiscence as an alternative of spawning a brand new unknown course of that would set off detection from safety merchandise.
The DLL is a loader itself and its aim is to additional decrypt and cargo the ultimate payload — normally a variant of PlugX, which is a modular Trojan that may load completely different plug-ins to increase its performance. In March, researchers from safety agency ESET reported assaults by Mustang Panda utilizing a beforehand undocumented model of PlugX, also referred to as Korplug.
However, the Cisco Talos researchers warn that the group does not all the time deploy PlugX and as an alternative has been seen utilizing different malware stagers, implants corresponding to Meterpreter from the open-source penetration testing framework Metasploit, and even easy reverse shells.
In late February, Mustang Panda used a Ukrainian-themed executable with a reputation written in Ukrainian that roughly interprets to “official statement from the National Security and Defense Council of Ukraine,” the researchers mentioned. “This infection chain consisted of activating a simple, yet new, TCP-based reverse shell using cmd.exe.”
Meterpreter has been utilized by the group as an entry mechanism to deploy further payloads from command-and-control servers between 2019 and late 2021. Starting this yr, the group appears to have shifted to utilizing customized stagers within the type of DLLs in a few of its campaigns. This was seen in February in an assault in opposition to targets in Southeast Asia by way of a marketing campaign that used a malicious archive file pertaining to the ASEAN Summit as bait.
While the most-recent assaults used malicious executables saved inside archives as the primary stage, Mustang Panda additionally used malicious Word paperwork (maldocs) previously that relied on macros to execute a DLL payload and begin the an infection chain. Those previous assaults primarily focused organizations in Asia.
Mustang Panda is a flexible risk actor
All these methods are value mentioning as a result of they showcase the flexibility of the group and its potential to customise its supply mechanisms and implants based mostly on what is likely to be most profitable in opposition to its supposed targets. The group might change between these completely different elements, shells, stagers and Trojans at any time.
“Over the years, Mustang Panda has evolved their tactics and implants to target a wide range of entities spanning multiple governments in three continents, including the European Union, the U.S., Asia, and pseudo allies such as Russia,” the Cisco Talos researchers mentioned. “By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much long-term access as possible to conduct espionage and information theft.”
Copyright © 2022 IDG Communications, Inc.