One in every of China’s most prolific and well-known state-sponsored menace actors is again on the scene with new self-propagating malware that spreads by USB drives (together with different instruments), to increase its cyber-espionage objectives of system management and information exfiltration.
Mustang Panda is also utilizing spear-phishing to unfold multistage downloaders that ship malware in its current concentrating on of varied authorities entities within the Asia-Pacific (APAC) area, Development Micro researchers revealed in a weblog submit on Sept. 9.
Utilizing malware-loaded USB drives is a technique that skilled a revival throughout and within the wake of the COVID-19 pandemic, and Mustang Panda (aka Camaro Dragon, Bronze President, Luminous Moth, Purple Delta, Stately Taurus, and, for Development Micro, Earth Preta) is thought for utilizing it as a main an infection vector. The superior persistent menace (APT) is principally within the enterprise of cyber espionage and has been recognized to collaborate with different Chinese language actors on coordinated assaults. Actually, Development Micro has not too long ago reported a spate of recent exercise from Chinese language menace actors typically, which can or is probably not associated.
Mustang Panda’s Fast Assaults, Customized Malware
This time round, Mustang Panda is utilizing the vector to ship malware known as PUBLOAD through a self-propagating variant of the worm HIUPAN, in addition to different instruments reminiscent of FDMTP and PTSOCKET to regulate methods and exfiltrate information. A concurrent spear-phishing marketing campaign by the menace actor is also concentrating on the identical sufferer demographic, utilizing malicious attachments to distribute backdoors and different malware.
Particular targets within the campaigns embody folks in varied authorities organizations: navy, police departments, international affairs and welfare companies, government branches, and public training. Victims are sometimes hit by a fast-paced method that infiltrates their system and steals information earlier than they’ve a clue as to what’s taking place, in keeping with Development Micro.
“Earth Preta’s assaults are extremely focused and time-sensitive, typically involving fast deployment and information exfiltration, with a concentrate on particular international locations and sectors inside the APAC area,” Development Micro researchers Lenart Bermejo, Sunny Lu, and Ted Lee wrote within the submit.
Evolution of Earlier APT Ways
The brand new campaigns noticed by Development Micro have two distinct vectors for preliminary entry that present evolution within the group’s typical ways. The primary is the deployment of the HIUPAN worm through USB drives to propagate PUBLOAD, which acts as a stager that may obtain the next-stage payload from a command-and-control (C2) server.
In earlier campaigns, Mustang Panda used spear-phishing emails to ship PUBLOAD, making the usage of a self-propagating worm a novel tactic for the group. The final word aim of the USB marketing campaign is to ship end-stage malware to attain management on a focused atmosphere for persistent information exfiltration.
“This HIUPAN variant has variations with the beforehand documented variant, which was used to propagate ACNSHELL, though its fundamental utility inside the assault chain stays the identical,” the researchers famous within the submit.
The model of PUBLOAD used within the new campaigns is much like ones beforehand delivered by spear-phishing and documented by Development Micro. On this case, Mustang Panda is utilizing PUBLOAD to introduce supplemental instruments into the targets’ atmosphere, reminiscent of FDMTP to function a secondary management instrument, and PTSOCKET, a which is used as a substitute exfiltration possibility.
Spear-Phishing Delivers Multistage Assault
Individually, a “fast-paced” spear-phishing marketing campaign that researchers noticed in June is delivering a series of malware that finally delivers a backdoor known as CBROVER, which helps file obtain and distant shell execution, the researchers stated.
Alongside the way in which, malicious .url attachments obtain and execute different malware, together with DOWNBAIT, a first-stage downloader for downloading a decoy doc and shellcode element, and PULLBAIT, simple shellcode that downloads and executes CBROVER. Development Micro additionally has discovered proof of Mustang Panda exploiting Microsoft’s cloud companies for information exfiltration.
The spear-phishing marketing campaign makes use of decoy paperwork associated to international affairs to lure victims into persevering with the assault chain. Nations doubtless focused within the assaults embody Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan, the researchers stated.
“The short turnover of decoy paperwork and malware samples on the WebDAV server hosted at 16[.]162[.]188[.]93 means that Earth Preta is executing extremely focused and time-sensitive operations, specializing in particular international locations and industries inside APAC area,” they wrote.
The researchers included a listing of indicators of compromise (IoCs) for the assaults within the submit and advise “steady vigilance” and “up to date defensive measures” within the face of more and more extra subtle ways by Mustang Panda and its cohorts. “Earth Preta has remained extremely energetic in APAC,” they wrote, “and can doubtless stay energetic within the foreseeable future.”
