Cyberespionage: New Mustang Panda campaign targets Europe

Cisco Talos Intelligence Group reported a new attack campaign from the infamous cyberespionage threat actor Mustang Panda, also known as Bronze President, RedDelta, HoneyMyte, TA416 or Red Lich with a particular focus on Europe.

SEE: Mobile device security policy (TechRepublic Premium)

Who is Mustang Panda?

This threat actor focuses on cyberespionage and originates from China. It has targeted companies and organizations worldwide since at least 2012, including American entities. So far, it has targeted think tanks, NGOs and governmental entities.

In March 2022, ESET published a report about Mustang Panda using a previously undocumented PlugX variant, a RAT malware the threat actor has been using for many years already, spread by phishing documents related to the war between Ukraine and Russia.

The initial compromise

The threat actors’ TTP (tactics, techniques and procedures) has not really changed over time and consists of an initial infection triggered by spearphishing, followed by malware deployment and lateral movements.

In this new attack campaign, Mustang Panda sends spearphishing emails containing a PlugX (also known as KorPlug) malware variant that disguises itself as a report from the General Secretary of the Council of the European Union (Figure A).

Figure A

The situation between Ukraine and Russia has been used by Mustang Panda in February and March 2022. A lure from the end of February was disguised as a situation report along European borders with Ukraine, while another one in March was disguised as a situation report along European borders with Belarus.

When it comes to targeting U.S. entities, Mustang Panda used overlapping topics of interest like “U.S. Asst Secretary of State Visit to ASEAN Countries.rar” in December 2021, or “Biden’s attitude towards the situation in Myanmar.zip” according to Talos.

The spearphishing content sent consists of an archive file which contains a downloader that fetches online:

• A Decoy PDF document. The document is benign and is only there to legitimate the opening of the archive and bring content to the user that will not raise his or her suspicion.
• A benign executable file that loads a malicious payload via the DLL sideloading
• A DLL file being the malicious payload triggered when launching the benign executable file.
• The final payload file, which is the PlugX RAT.

The infection flow consists of a few steps once the first executable is launched (Figure B).

Figure B

PlugX RAT

The PlugX RAT, also known as KorPlug, is Mustang Panda’s malware of choice. The threat actor has used different variants of it for several years, together with other threat actors originating from China. This malwares source code has never leaked publicly, and it seems it is only used by China-originating threat actors.

At the end of March 2022, the PlugX infection chain changed though. The downloader now downloads the decoy document from one URL and uses another URL to download the benign executable file, the DLL file and the final PlugX payload.

More malware infections

Mustang Panda has also used another infecting technique, where this time an archive file sent by spearphishing email contains an executable file together with an accompanying DLL file responsible for decoding an embedded shellcode, which in turn downloads and executes additional shellcode from a C2 IP address.

After infection is done, an implant will collect information from the infected machine and send it encrypted to the C2 server:

• Volume serial number
• Computer name
• User name and length
• Hosts uptime

The shellcode then attempts to connect to the C2 server to retrieve additional shellcode that will be executed on the infected machine.

Another malicious file used by Mustang Panda binds itself locally to the infected computer and listens for any incoming requests from a hardcoded C2 server IP address. Any shellcode received from that single IP address will be executed.

Mustang Panda also makes use of LNK files containing a command to extract content from itself and execute it as a BAT file (Figure C).

Figure C

The BAT file then executes JavaScript code, executed via the legitimate wscript.exe from the computer. That code extracts and launches a DLL-based stager, finalizing the infection and setting up persistence.

Mustang Panda has also used Meterpreter reverse-HTTP payloads to download and execute other payloads.

Finally, in late February 2022, Mustang Panda has used a previously undisclosed Ukrainian-themed lure entitled “Офіційна заява Апарату РНБО України\Про введення в дію плану оборони України та Зведеного плану територіальної оброни України.exe”, which can be roughly translated to “official statement from the National Security and Defense Council of Ukraine.exe” according to Talos.

This new infection flow used a TCP protocol-based reverse shell DLL using the legitimate cmd.exe command-line executable. The DLL copies itself and the executable launching it into a folder and sets up persistence via a scheduled task to ensure the reverse shell runs once a minute.

A constantly evolving threat actor

While Mustang Panda has made heavy use of the PlugX/KorPlug malware through the years, through different variants, it has constantly updated and changed the intermediate payload deliveries with different stagers, scripts, reverse shells and LNK files.

How to protect from this threat

The methods used by Mustang Panda to set an initial foothold in the targeted system always consist of sending spearphishing emails.

Therefore, it is advised to deploy security measures on all incoming emails hitting your company’s mail server:

• Deploy email analysis tools that focus on attached files but also on links inside emails.
• Check every attached file for malware. It is advised to have the attached files run into a sandbox system with behavioral detection, in addition to usual malware signature detection.
• Systematically analyze all archive files sent by email which contain executable files.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.