Mustang Panda’s already sophisticated cyber-espionage campaign has matured even further with the introduction of a brand-new PlugX RAT variant.
The Chinese Advanced Persistent Threat (APT) Mustang Panda (a.k.a. Temp.Hex, HoneyMyte, TA416 or RedDelta) has upgraded its espionage campaign against diplomatic missions, research entities & internet service providers (ISPs) – largely in & around SE Asia.
Norse God
The APT has deployed a brand-new, customised variant of an old but powerful remote-access tool (RAT) called PlugX (aka Korplug), according to researchers from ESET. They named this latest variant “Hodur,” after a blind Norse god known for slaying his thought-to-be-invulnerable half-brother Baldr.
Mustang Panda has developed a complex range of tactics, techniques & procedures (TTPs) to maximise the efficacy of its attacks.
ESET researchers stated, “Every stage of the deployment process uses anti-analysis techniques & control-flow obfuscation.”
Ongoing
The cyber-espionage campaign dates back to at least Aug. 2021 & is still ongoing, according to ESET, & is targeting mainly govts. & NGOs. Most victims are located in East & SE Asia, but there are outliers in Europe (Greece, Cyprus, Russia) & Africa (South Africa, South Sudan).
The attacks begin with social-engineering emails or ‘watering-hole’ attacks, researchers stated.
“The compromise chain includes decoy documents that are frequently updated & relate to events in Europe & the war in Ukraine,” noted the team, in a Wed. posting. “One of the filenames related to this campaign is “Situation at the EU borders with Ukraine.exe.”
Phishing Lures
Other phishing lures mention updated COVID-19 travel restrictions, an approved regional aid map for Greece, & a Regulation of the European Parliament & of the Council.
“The final lure is a real document available on the European Council’s website,” according to ESET. “This shows that the APT group behind this campaign is following current affairs & is able to successfully & swiftly react to them.”
What is Hodur?
Hodur derives from PlugX, a RAT that “allows remote users to perform data theft or take control of the affected systems without permission or authorisation. It can copy, move, rename, execute & delete files; log keystrokes; fingerprint the infected system; & more.”
PlugX is one of the oldest malware families around, having existed in some form or another since 2008, with a rise in popularity in the mid-2010s. Malware like that is really old these days, which is why Mustang Panda has constantly iterated on it.
Just a few weeks ago, researchers from Proofpoint discovered an upgrade “changing its encoding method & expanding its configuration capabilities.”
According to ESET, the new variant “mostly lines up with other Korplug variants, with some additional commands & characteristics.” It for instance closely resembles another Norse-themed variant – Thor – discovered in 2020.
Complex Attack
Hodur itself is not the star of the show: Mustang Panda’s campaign features literally dozens of TTPs designed to establish persistence, collect data & evade defences.
The campaign begins simply, as the group uses current events to phish their targets. For example, last month, Proofpoint discovered it using a NATO diplomat’s email address to send out .ZIP & .EXE files titled “Situation at the EU borders with Ukraine.”
Decrypts & Executes
If a target takes the bait, a legitimate, validly signed, executable vulnerable to DLL search-order hijacking, a malicious DLL, & an encrypted Hodur file are deployed on the target machine.
“The executable is abused to load the module, which then decrypts & executes the…RAT,” explained researchers. “In some cases, a downloader is used 1st to deploy these files along with a decoy document.”
Poison Ivy
Mustang Panda’s campaigns then frequently use custom loaders for shared malware including Cobalt Strike, Poison Ivy, & now, Hodur. Then things get interesting. ESET analysts totalled 44 MITRE ATT&CK techniques deployed in this campaign.
Most interesting are the 13 different methods of hiding or otherwise evading cyber-security tools & detection.
For example, the ESET blog noted that “directories created during the installation process are set as hidden system directories,” & “file & directory names match expected values for the legitimate app that is abused by the loader.”
The malware fools you because “scheduled tasks created for persistence use legitimate-looking names,” & “when writing to a file, Korplug sets the file’s timestamps to their previous values.”
Who’s Behind Mustang Panda?
Cyber-security analysts have been tracking Mustang Panda since 2017, when they 1st started using Mongolian-themed phishing tactics to conduct espionage on targets in SE Asia. There is much we do not know about the group.
The depth & complexity of their TTPs puts Mustang Panda more in the company of state-sponsored groups than criminal ones. So “it is possible, though unproven, that they are state-sponsored or at least state-sanctioned,” wrote Mike Parkin, Senior Technical Engineer at Vulcan Cyber.
SE Asia
Historically, the group has kept to SE Asia, with 1 notable exception – the Vatican – in 2020. The vast majority of targets in ongoing campaigns have, indeed, been located in Mongolia & Vietnam, followed closely by Myanmar. But the list also includes selected entities in Europe & Africa, which muddles the picture somewhat.
