Chinese state-sponsored cyber actors, known as Mustang Panda, have recently been observed using new malware called FDMTP and PTSOCKET to facilitate their cyber espionage activities.
The group has also been observed using a variant of the Hiupan worm to deploy the Pubload malware stager via removable network drives, a strategy that differs from the group’s use of spearphishing observed at the beginning of the campaign.
To facilitate its propagation via removable media, Mustang Panda stored the Hiupan worm’s files in a hidden directory leaving only a seemingly legitimate-looking file called USBConfig.exe visible on the drive, which is subsequently executed by the victim.
Hiupan then downloads and executes Pubload, Mustang Panda’s main control tool, via DLL side-loading, which quickly establishes persistence and conducts reconnaissance on the now breached network. Mustang Panda was also observed using new malware called FDMTP as a secondary control tool, which was embedded in a section of a DLL.
During the campaign, Mustang Panda collected files with .DOC, .DOCX, .XLS, .XLSX, .PDF, .PPT, and .PPTX extensions from specified cutoff dates, indicating the group was only interested in recent files and documents. The files were exfiltrated via Pubload using the cURL command, or alternatively via PTSOCKET. Victims included government and non-government entities mostly located in the Asia-Pacific region.
Source: Bleeping Computer
Analysis
Sophisticated state-sponsored cyber actors like Mustang Panda will continuously evaluate the efficacy of its TTPs and make changes when necessary. Thus, it’s not unusual to see these groups change tactics and adopt new tools mid-campaign, should the group feel their current strategy is subpar.
State-sponsored cyber actors have access to considerable resources that enable the rapid development of tools, such as malware and exploits, used in malicious cyberattacks on the most resilient of targets. Accordingly, the threat posed by state-sponsored cyber actors is not only significant but incredibly challenging for organizations to mitigate since they are competing against the resources of an entire state.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for threats from advanced cyber actors emanating from countries like China. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the risk these groups pose.
Field Effect MDR users are automatically notified when various types of malicious activities associated with state-sponsored cyber actors are detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect MDR Portal.
Related Articles
