Throughout a dramatic navy buildup within the South China Sea this summer season, a Chinese language state-linked superior persistent risk (APT) managed to compromise an entity throughout the Philippine authorities utilizing a remarkably easy sideloading approach.
The offender, Mustang Panda — recognized variously as Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, Crimson Delta, and tracked by Palo Alto Networks’ Unit 42 as Stately Taurus — has spied on high-profile authorities and government-adjacent organizations over the Net since a minimum of 2012.
In a single current case, outlined by Unit 42 on Nov. 17, the group carried out three comparable campaigns in opposition to South Pacific organizations, together with one which led to profitable five-day compromise of the Philippine authorities group.
Mustang Panda’s Easy TTPs
Starting in early August, when the Chinese language coast guard blocked and fired water cannons at Philippine provide ships, the 2 South Pacific nations engaged in a months-long, more and more severe melodrama of the type typically seen within the South China Sea.
In the course of the navy tête-à-tête, it appears, China’s hackers had been concurrently attacking Philippine organizations in our on-line world.
In the course of the first half of the month, China’s Mustang Panda performed three assaults within the South Pacific which, apart from a number of minor variations, adopted largely the identical playbook.
Every started with a ZIP file. “We sometimes see actors host their malicious information with cloud storage suppliers after which entice victims to click on a hyperlink, typically to a trusted storage platform in a phishing e-mail to obtain the information,” notes Pete Renals, senior supervisor at Unit 42 at Palo Alto Networks. For instance, “for the primary marketing campaign, the information had been discovered to be hosted on Google Drive for obtain.”
The malware package deal can be given a reputable sounding identify, like “NUG’s International Coverage Technique.zip.” As soon as extracted, it might reveal only one EXE file with a equally reputable sounding identify like “Labour Assertion.exe.”
The file can be not more than a renamed copy of Strong PDF Creator, a reputable software for changing paperwork to PDFs. The trick was that launching the app would sideload a second file — a dynamic hyperlink library (DLL), hidden within the unique ZIP. The DLL would offer the attackers some extent to which they may set up command-and-control (C2).
Dealing With Mustang Panda
All through the month of August, Mustang Panda performed its espionage from one among its recognized IP addresses based mostly in Malaysia. It thinly tried to masks its malicious site visitors by mimicking a Microsoft area, “wcpstatic.microsoft[.]com.”
A number of such malicious communications had been despatched between the IP handle in query and the Philippine authorities entity, between the interval of Aug. 10-15. The precise information that may have been transferred in that interval, or in any associated August assault, stays unknown.
Whereas Mustang Panda’s ways could seem rudimentary at first, Renals warns that they are nonetheless efficient, and organizations nonetheless have to be cautious.
“APTs utilizing DLL sideloading to ship malware shouldn’t be new or novel. Nevertheless, the continued use of this system by Stately Taurus actors, mixed with minimal detection charges throughout platforms like VirusTotal, demonstrates that this system continues to be an efficient device enabling their operations,” he concludes.