The Chinese espionage-focused APT tracked as Mustang Panda has used an updated backdoor and several new tools in a recent attack, cybersecurity firm Zscaler reports.
Active for over a decade, the state-sponsored hacking group, also tracked as Basin, Bronze President, Earth Preta, and Red Delta, is known for targeting government and military entities, as well as NGOs and minority groups, mainly in East Asia, but also in Europe.
The threat actor has been observed using Windows zero-days in attacks, and is believed to have infected over 4,000 computers in the US with the PlugX RAT. In January, the FBI and French law enforcement used the malware’s self-delete mechanism to erase it from the infected machines.
As part of a recently observed attack against an organization in Myanmar, Mustang Panda deployed an updated version of their ToneShell backdoor, along with a new tool dubbed StarProxy, the Paklog and Corklog keyloggers, and the SplatCloak EDR evasion driver.
The APT is relying on DLL sideloading to execute its malicious payloads and evade detection, deploying all tools as libraries within archives that also contain a vulnerable executable to load them, Zscaler notes.
ToneShell, one of the most frequently used tools in Mustang Panda’s arsenal, is a second-stage backdoor that supports file manipulation and the execution of additional payloads.
Three new variants of the backdoor, identified on a staging server and through a third-party malware repository, mainly focus on payload execution and feature an updated FakeTLS command-and-control (C&C) communication protocol to evade network-based detection.
StarProxy, a new Mustang Panda tool used for lateral movement, was designed to proxy traffic between infected hosts and a C&C server, using TCP sockets over the FakeTLS protocol.
“Given the features of the malware, and the use of command-line arguments, Mustang Panda likely uses StarProxy as a post-compromise tool to access systems that are not reachable directly over the Internet,” Zscaler notes.
The Paklog keylogger relies on high-level Windows APIs for log keystrokes and monitor the clipboard. The collected information is stored locally, as the keylogger lacks exfiltration capabilities, Zscaler explains in a technical blog post.
The Corklog keylogger stores harvested data in an encrypted file and establishes persistence by creating services or scheduled tasks on the system.
Deployed using the SplatDropper utility, the SplatCloak driver was designed to identify and disable Windows Defender and Kaspersky security software. It can also remove notification hooks and callbacks associated with these defense products, and dynamically resolves Windows API functions.
“Tool overlap—particularly the inclusion of ToneShell—strongly links Mustang Panda to this activity. Additionally, technical overlaps in newly discovered tools align with prior Mustang Panda malware, including techniques such as control flow flattening, mixed boolean arithmetic, and RC4 encryption, which are hallmark features of Mustang Panda’s customized PlugX variant,” Zscaler notes.
Related: Chinese Cyberspy Possibly Launching Ransomware Attacks as Side Job
Related: Cyber Assault on Asian Telecoms Traced to Chinese State Hackers
Related: Chinese Cyberspies Targeting ASEAN Entities
Related: Over 200 Organizations Targeted in Chinese Cyberespionage Campaign