Mustang Panda deploys advanced malware to spy on governments in Asia Pacific

September 10, 2024Ravie LakshmananCyber ​​attack / Malware

The threat actor being tracked as Mustang panda has enhanced its malware arsenal with new tools to facilitate data exfiltration and next-stage payload deployment, according to new findings from Trend Micro.

The cybersecurity firm, which monitors the cluster of activity under the name Earth Preta, said it has observed “the spread of PUBLOAD via a variant of the HIUPAN worm.”

PUBLOAD is a well-known downloader malware that has been linked to Mustang Panda since early 2022. The malware is being deployed as part of cyberattacks against government agencies in the Asia Pacific (APAC) region to spread the PlugX malware.

“PUBLOAD was also used to introduce additional tools into the targets’ environments, such as FDMTP as a secondary means of control. This was found to perform similar tasks as PUBLOAD. PTSOCKET was also used as an alternative exfiltration option,” security researchers Lenart Bermejo, Sunny Lu, and Ted Lee said.

Mustang Panda’s use of removable drives as a propagation vector for HIUPAN was previously documented by Trend Micro in March 2023. It is followed by Google-owned Mandiant as MISTCLOAK, which observed it in connection with a cyberespionage campaign targeting the Philippines that may have begun as early as September 2021.

PUBLOAD has features that allow you to explore the infected network and collect files of interest (.doc, .docx, .xls, .xlsx, .pdf, .ppt, and .pptx). In addition, PUBLOAD acts as a conduit for a new hacking tool called FDMTP, a “simple malware downloader” implemented based on TouchSocket over Duplex Message Transport Protocol (DMTP).

The captured information is compressed into a RAR archive and exfiltrated to an attacker-controlled FTP site via cURL. Alternatively, Mustang Panda has also been observed deploying a custom program called PTSOCKET that can transfer files in multi-thread mode.

Trend Micro has also attributed the attacker to a “fast” spear-phishing campaign detected in June 2024, which distributed emails with a .url attachment. Once launched, it is used to deliver a signed downloader called DOWNBAIT.

The campaign is believed to have targeted Myanmar, the Philippines, Vietnam, Singapore, Cambodia and Taiwan, based on the file names and content of the decoy documents used.

DOWNBAIT is a first-stage loader tool that is used to load and execute the PULLBAIT shellcode into memory. It then downloads and executes the first-stage backdoor, called CBROVER.

The implant in turn supports file downloading and remote shell execution, and also acts as a delivery vehicle for the PlugX remote access trojan (RAT). PlugX then handles the deployment of another custom file collector called FILESAC that can collect the victim’s files.

The disclosure follows detailed information from Palo Alto Networks Unit 42 detailing Mustang Panda’s abuse of Visual Studio Code’s built-in reverse shell functionality to gain a foothold in target networks, indicating the malicious actor is actively changing its modus operandi.

“Earth Preta has made significant advancements in its malware deployment and strategies, particularly in its campaigns targeting government agencies,” the researchers said. “The group has evolved its tactics, (…) using multi-stage downloaders (from DOWNBAIT to PlugX) and potentially exploiting Microsoft’s cloud services for data exfiltration.”