Researchers are investigating a campaign targeting Russian officials that points to a Chinese threat actor known as Mustang Panda (aka Bronze President, RedDelta, or TA416).
The activities of Mustang Panda
Secureworks has laid bare details of the ongoing cyberattacks.
- The attackers employed phishing lures with English docs with a Russian name. These files are named after a Russian city (Blagoveshchensk) that is close to the border with China.
- This implies that the targets of this campaign are Russian personnel in that region, and further endorses the theory that China seems to be shifting to new intelligence-gathering goals.
- The emails pretend to be sent by the European Union and come with details regarding sanctions against Belarus.
- The sent files are Windows executables, however, these are designed to appear as PDFs.
- When this executable file is launched, a host of additional files are obtained such as a decoy EU document (PDF), a malicious DLL loader, an encrypted PlugX variant (in a DAT file), and a digitally signed EXE file.
Use of PlugX?
- In this campaign, a DLL loader is used to perform DLL search order hijacking with a genuine signed file from Global Graphics Software. This technique is often used by Mustang Panda for executing the PlugX payload.
- Additionally, a report for the first quarter of 2022 showed increased engagements of Mustang Panda using the USB drives to spread the PlugX RAT.
Conclusion
Although Mustang Panda is using the same malware, loader tools, and infrastructure as earlier, it still managed to stay stealthy. However, it has started focusing on wider geographical regions, indicating some changes in its ultimate goals. Thus, organizations are suggested to stay proactive in leveraging the provided IOCs for email and network defense to stay protected against this threat.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_178281617.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/dd02_shutterstock_1465728548.jpg)
