Chinese APT Hackers “Mustang Panda” Attack Public & Private Sectors Using Weaponized Documents

guest · Oct 8, 2019

Chinese APT Hackers “Mustang Panda” Attack Public & Private Sectors Using Weaponized PDF and Word Documents
October 8, 2019
https://gbhackers.com/chinese-apt-hackers-mustang-panda/

Researchers discovered an ongoing malware campaign that believed to be operating by a Chinese based threat group called “Mustang Panda” that targets public and private sectors around the world.

Threat actors compromising the targeting with the help of weaponized PDF and word documents that drops via spear-phishing email with VBScript embedded in the “.lnk” file.
Different type of decoy documents was used in this campaign for each and every target based on the infection possibilities and compromised the victims to open it using various social engineering techniques.

Researchers uncovered nearly 15 malicious documents that utilized by Mustang Panda in this current ongoing campaign.

“Further analysis of the files led to the identification of other “.lnk” files that were attempting to infect individuals with a Cobalt Strike Beacon (penetration-testing tool) or PlugX (Remote Access Tool (RAT)”
This kind of malicious activity sponsored by China will likely continue as the country expands its efforts for the ongoing Belt and Road Initiative that seeks to invest in infrastructure in over 100 countries, anomali concluded.
Click to expand...

Anomali: China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations

guest · Jul 19, 2020

Chinese state hackers target Hong Kong Catholic Church
EXCLUSIVE: Spear-phishing operation targets members of the Hong Kong Catholic Church
July 15, 2020
https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/

China's government hackers have targeted members of the Hong Kong Catholic Church in a series of spear-phishing operations traced back to May this year.
The spear-phishing campaign fits recent reports that Chinese government hacking groups focusing cyber-espionage efforts on the Hong Kong region after pro-democracy protests begun last year [1, 2].

Based on previous public reporting, Arkbird attributed the malware samples to a group known as Mustang Panda, a Chinese hacking group known for its widespread use of DLL-sideloading (according to Lab52) and its targeting of religious groups, including Catholic organizations (according to Anomali).
Click to expand...

Arkbird says that alongside the legitimate apps and the lure documents, a malicious DLL file is also loaded that installs malware on the victim's computer, using a technique known as DLL-sideloading.
In a phone interview today, Fred Plan, malware analyst at Mandiant Threat Intelligence, part of US cyber-security firm FireEye, said that this particular version of the DLL-sideloading technique has been a staple of Chinese nation-state hacking groups for years.

Plan, who reviewed Arkbird's findings, said the final payload was a malware commonly known as PlugX, a remote access trojan that grants attackers control over infected hosts.
Click to expand...

guest · Nov 23, 2020

TA416 APT Rebounds With New PlugX Malware Variant
November 23, 2020
https://threatpost.com/ta416-apt-plugx-malware-variant/161505/

The TA416 advanced persistent threat (APT) actor is back with a vengeance: After a month of inactivity, the group was spotted launching spear-phishing attacks with a never-before-seen Golang variant of its PlugX malware loader.

TA416, which is also known as “Mustang Panda” and “RedDelta,” was spotted in recent campaigns targeting entities associated with diplomatic relations between the Vatican and the Chinese Communist Party, as well as entities in Myanmar (all of these are previously reported campaigns). The group was also spotted recently targeting organizations conducting diplomacy in Africa.
In further analysis of these attacks, researchers found the group had updated its toolset — specifically, giving its PlugX malware variant a facelift.
Click to expand...

“As this group continues to be publicly reported on by security researchers, they exemplify a persistence in the modification of their toolset to frustrate analysis and evade detection,” said researchers with Proofpoint, in a Monday analysis.
“While baseline changes to their payloads do not greatly increase the difficulty of attributing TA416 campaigns, they do make automated detection and execution of malware components independent from the infection chain more challenging for researchers.”
Click to expand...

Proofpoint: TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader

Continued activity by TA416 demonstrates a persistent adversary making incremental changes to documented toolsets so that they can remain effective in carrying out espionage campaigns against global targets.
Click to expand...

guest · Sep 9, 2022

Chinese APT using PlugX malware on espionage targets
By Alex Scroxton - September 8, 2022

Bronze President, the China-backed advanced persistent threat (APT) group that also goes by the name of Mustang Panda, has been conducting a widespread campaign against targets of interest to Chinese espionage, using documents that spoof official diplomatic notices to lure in their victims.

Observed by the Secureworks Counter Threat Unit (CTU), a series of attacks that unfolded during June and July used a PlugX malware to target the computer systems of government officials in several countries in Europe, the Middle East and South America.

“Several characteristics of this campaign indicate that it was conducted by the likely Chinese government-sponsored Bronze President threat group, including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically themed decoy documents that align with regions where China has interests,” the CTU team said in its write-up.
Click to expand...

In the Bronze President campaign, it arrived at its targets embedded within RAR archive files. Opening this archive on a Windows system with default settings enabled displays a Windows shortcut (LNK) file masquerading as a document.

Alongside this shortcut is a hidden folder containing the malware, which is embedded eight levels deep in a series of hidden folders named with special characters. This tactic is likely a means to try to bypass email-scanning defences that may not look at the whole path when scanning content. In turn, said Secureworks, it suggests the delivery method is phishing emails, as there is no other real benefit to doing this.
Click to expand...

To execute the PlugX malware, the user must click the LNK file, ultimately leading to the loading, decryption and execution of the PlugX payload. During this process, the decoy document – an example of which is shown below – is dropped.

“Bronze President has demonstrated an ability to pivot quickly for new intelligence collection opportunities,” said the Secureworks team. “Organisations in geographic regions of interest to China should closely monitor this group’s activities, especially organisations associated with or operating as government agencies.”
Click to expand...

Secureworks: BRONZE PRESIDENT Targets Government Officials

By Counter Threat Unit Research Team - September 8, 2022
The likely Chinese government-sponsored threat group uses decoy documents and PlugX malware to compromise targets.

In June and July 2022, Secureworks® Counter Threat Unit™ (CTU) researchers identified a PlugX malware campaign targeting computers belonging to government officials of several countries in Europe, the Middle East, and South America. PlugX is modular malware that contacts a command and control (C2) server for tasking and can download additional plugins to enhance its capability beyond basic information gathering.
Click to expand...

Several characteristics of this campaign indicate that it was conducted by the likely Chinese government-sponsored BRONZE PRESIDENT threat group, including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically-themed decoy documents that align with regions where China has interests.
Click to expand...

guest · Nov 19, 2022

Chinese 'Mustang Panda' Hackers Actively Targeting Governments Worldwide
By Ravie Lakshmanan - November 19, 2022

A notorious advanced persistent threat actor known as Mustang Panda has been linked to a spate of spear-phishing attacks targeting government, education, and research sectors across the world.
Click to expand...

The primary targets of the intrusions from May to October 2022 included counties in the Asia Pacific region such as Myanmar, Australia, the Philippines, Japan, and Taiwan, cybersecurity firm Trend Micro said in a Friday report.

Mustang Panda, also called Bronze President, Earth Preta, HoneyMyte, and Red Lich, is a China-based espionage actor believed to be active since at least July 2018. The group is known for its use of malware such as China Chopper and PlugX to collect data from compromised environments.
Click to expand...

The latest findings from Trend Micro show that Mustang Panda continues to evolve its tactics in a strategy to evade detection and adopt infection routines that lead to the deployment of bespoke malware families like TONEINS, TONESHELL, and PUBLOAD.

"Earth Preta abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as RAR/ZIP/JAR) and distributed through Google Drive links," researchers Nick Dai, Vickie Su, and Sunny Lu said.
"Earth Preta is a cyber espionage group known to develop their own loaders in combination with existing tools like PlugX and Cobalt Strike for compromise," the researchers concluded.
Click to expand...

Trend Micro: Earth Preta Spear-Phishing Governments Worldwide

By Nick Dai, Vickie Su, Sunny Lu - November 18, 2022
We break down the cyberespionage activities of advanced persistent threat (APT) group Earth Preta, observed in large-scale attack deployments that began in March. We also show the infection routines of the malware families they use to infect multiple sectors worldwide: TONEINS, TONESHELL, and PUBLOAD.

We have been monitoring a wave of spear-phishing attacks targeting the government, academic, foundations, and research sectors around the world. Based on the lure documents we observed in the wild, this is a large-scale cyberespionage campaign that began around March.
Click to expand...

Log in or Sign up

Chinese APT Hackers “Mustang Panda” Attack Public & Private Sectors Using Weaponized Documents

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

Chinese APT Hackers “Mustang Panda” Attack Public & Private Sectors Using Weaponized Documents

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches