China-linked APT (Advanced Persistent Threat) group Mustang Panda, also known by aliases such as Camaro Dragon, RedDelta, or Bronze President, has recently escalated its cyber espionage activities. The group has deployed a new custom backdoor, MQsTTang, in its ongoing campaign targeting organizations in Europe, Asia, and Australia. These latest attacks represent an advanced, evolving threat landscape that combines stealth tactics and sophisticated tools to compromise and infiltrate systems, as well as to maintain persistence within networks.
Active since at least 2012, Mustang Panda has built a notorious reputation for infiltrating government bodies, think tanks, non-governmental organizations (NGOs), and various global entities. Their previous campaigns have largely focused on Asian countries, such as Taiwan, Hong Kong, Tibet, and Myanmar, but in recent years, they have broadened their scope to include European and Australian targets. The group’s tactics have evolved over time, including the recent use of lures involving European Union reports on the Ukraine conflict.
The Evolution of Mustang Panda’s Attack Methods
Mustang Panda’s most recent activity, tracked by security researchers from Trend Micro and Zscaler ThreatLabz, indicates a significant shift in their attack strategies. In February 2024, Trend Micro analysts detected a series of intrusions primarily affecting countries in Asia, notably Taiwan, Vietnam, and Malaysia. Zscaler ThreatLabz has also identified fresh activity stemming from Myanmar, where the group has employed new backdoor variants and advanced evasion techniques.
A key element of Mustang Panda’s latest attacks is the deployment of multiple new tools, such as the ToneShell backdoor, the StarProxy tool for lateral movement, and keyloggers like Paklog and Corklog. These tools are packaged alongside legitimate executables and malicious Dynamic Link Libraries (DLLs), utilizing DLL sideloading as an advanced method of payload delivery. This technique allows the threat actors to evade detection while executing malicious payloads on compromised systems.
The ToneShell backdoor, which has undergone several updates, is at the heart of Mustang Panda’s ongoing espionage campaigns. It utilizes a FakeTLS communication protocol to communicate with its command-and-control (C2) server and is often distributed within RAR archives containing both legitimate executables and the malicious DLLs. The backdoor variants in question, which include cf.rar, .ru.zip, and .zz.rar, reflect the group’s evolving strategies to enhance stealth and evade security mechanisms.
In addition to ToneShell,
What Undercode Says: Insights into Mustang Panda’s Evolving Tactics
The latest campaigns by Mustang Panda offer a glimpse into the sophisticated and ever-evolving tactics employed by APT groups to achieve their objectives. Unlike traditional malware, the group’s reliance on DLL sideloading and customized backdoors such as MQsTTang demonstrates a deep understanding of modern security mechanisms and the ways in which they can be bypassed.
DLL sideloading, in particular, is a noteworthy tactic. This technique involves embedding malicious DLL files within legitimate applications, allowing the attackers to exploit vulnerabilities in these legitimate files to execute their payloads without raising alarms. For organizations, this poses a significant challenge: even if an attack is detected, it is often difficult to discern which legitimate applications have been compromised, since the malicious payload is hidden within otherwise trusted software.
Another significant factor in Mustang Panda’s operations is their use of encrypted communication channels. Tools like StarProxy and ToneShell employ custom encryption algorithms, such as XOR-based encryption, to secure the communication between compromised systems and C2 servers. This encryption makes it harder for traditional network monitoring systems to detect and block malicious traffic.
Mustang
The group’s continued development of new malware and evasion tools, including keyloggers and evasion drivers, underscores their commitment to maintaining persistence within compromised networks. The fact that these tools are used in conjunction with advanced evasion techniques, such as the modification of command-and-control protocols, suggests that Mustang Panda is not only after immediate intelligence but also seeks to maintain long-term access to its targets.
For organizations in Asia, Europe, and Australia, this highlights a pressing need for advanced detection and response systems. Relying solely on traditional antivirus software may not be enough to detect these sophisticated threats. Instead, proactive monitoring, threat hunting, and vulnerability management must be part of any comprehensive cybersecurity strategy.
Fact Checker Results: Key Takeaways
- New Malware Strains: Zscaler and Trend Micro’s findings align with previous reports indicating that Mustang Panda is continually evolving its arsenal of tools, with the latest additions including advanced backdoors like MQsTTang and StarProxy.
- Advanced Evasion Techniques: The use of DLL sideloading and encrypted communication channels confirms Mustang Panda’s ability to avoid detection by traditional security measures, necessitating more sophisticated defenses.
- Ongoing Threat: Mustang Panda remains a significant threat actor in the cyber espionage landscape, with a continued focus on organizations in regions of strategic geopolitical interest.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.linkedin.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
