A breakdown into cyberespionage activities by Mustang Panda (aka Earth Preta) reveals that the APT gang has targeted over 200 organizations worldwide since 2022. These attacks were carried out by subgroups of Mustang Panda using different TTPs.
A nexus of organized crimes
Recently, Trend Micro discovered that the China-based threat group has a centralized development unit that disseminates malware implants and tools to other operational groups.
- These operational groups demonstrate a high degree of specialization in their attack techniques as they manage their own methods of entry and privilege escalation.
- While some operational groups were engaged in stealing intellectual property and sensitive business information, others targeted government and diplomatic entities.
- There are several instances where victims were compromised by two groups, indicating a possible overlap in objectives, toolsets, and collected materials between these groups.
- The targeting overlaps have primarily been observed between groups 724, 1358, and 5171.
The study revealed that the highest numbers of victims are located in Asia (51%), followed by Africa (16.8%), Europe (13.3%), and the Middle East (5.6%).
Targeted sectors
Most of these attacks were primarily aimed at academic institutions, financial services, ore and material refineries, specialized fabrication plants, and energy production and distribution. However by the end of 2022, there was a change in targets, and organizations in the maritime industry, border control, and immigration were added to the list.
Attack tactic of Group 724
- The group leverages physical vectors such as a USB drive as an entry point into a target’s system.
- Subsequently, it utilizes DLL sideloading and Adobe CEF Helper to establish a persistent foothold in the user’s home directory.
- The group is focused on targeting organizations in Southeast Asia.
Attack tactic of Group 1358
- The group utilizes Avast’s WSC DLL for sideloading and executing malicious code.
- PlugX remains the choice of malware for the group and the exfiltration of data is done using USB sticks.
- The group’s victimology is extensive, targeting organizations across various sectors globally.
Attack method of Group 5171
- The group sets itself apart with the use of the traveling laptop attack (a laptop with malicious code in transit.)
- The group takes a more opportunistic strategy rather than concentrating on particular industries.
- It primarily targets entities in the Middle East and Europe.
Conclusion
Given the scale of Mustang Panda’s cyberespionage operations, the cyber community needs to take proactive steps to defend against this threat. This includes leveraging best-in-class threat intelligence sharing platforms for advanced analysis, correlation, and actioning.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_000077403427_Medium.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/1113_shutterstock_1351717742.jpg)
