A Chinese state-sponsored threat actor known as Mustang Panda targets government organizations and researchers around the world with three malware variants hosted on Google Drive, Dropbox and similar cloud storage (opens in new tab) solutions.
Trend Micro researchers recently noticed the new malware campaign, which mainly targets organizations in Australia, Japan, Taiwan, Myanmar and the Philippines.
The Mustang Panda started in March 2022 and lasted until at least October. The attackers would create a phishing email and send it to a bogus address, while the actual victim remains in CC. That way, the researchers assume, the attackers wanted to reduce the chances of being picked up by anti-virus programs, email security solutions, and the like.
Deliver malicious archives
The subject of the email may be empty or have the same name as the malicious archive. “Instead of adding the addresses of the victims to the ‘To’ header of the email, the threat actors used fake emails. Meanwhile, the addresses of the real victims were written in the ‘CC’ header , which likely bypasses safety analysis and delays investigations.”
Another thing they have done to avoid detection is to store the malware on legitimate cloud storage solutions, in a .ZIP or .RAR file, as these platforms are usually whitelisted by security tools. However, if the victim falls for the trick and downloads and executes the archive file, they end up with these three custom malware types: PubLoad, ToneIns, and ToneShell.
PubLoad is a stager used to download the next stage payload from its C2 server. It also adds new registry keys and scheduled tasks to establish persistence. ToneIns is an installer for ToneShell, the main backdoor. While the process may sound overly complicated, it works as an anti-sandbox mechanism, the researchers explained, because the backdoor doesn’t run in a debugging environment.
The main task of the malware is to upload, download and execute files. Among other things, it can create shells for intranet data exchange or change the sleep configuration. The malware has recently acquired a number of new features, the researchers say, suggesting that the Mustang Panda is hard at work, improving its toolkit and becoming more dangerous by the day.
Via: Bleeping Computer (opens in new tab)