Teacher
Professional
- Messages
- 2,670
- Reaction score
- 779
- Points
- 113
China is improving its methods of infecting its victims.
Researchers from the cybersecurity company Trend Micro have linked the Chinese group Mustang Panda to a series of targeted phishing attacks aimed at government, educational and research sectors around the world. The main targets of the attacks from May to October 2022 were countries in the Asia-Pacific region-Myanmar, Australia, the Philippines, Japan and Taiwan.
According to Trend Micro, Mustang Panda (also known as Bronze President, Earth Preta, HoneyMyte, and Red Lich) continues to evolve its methods of avoiding detection and deploying specialized malware.
Mustang Panda used fake Google accounts to distribute malware through phishing emails. The VPO is stored in an archive file (RAR / ZIP/JAR) and distributed via links to Google Drive.
Hackers gain initial access by using decoy documents that cover controversial geopolitical topics to encourage targeted organizations to download and run malware. In some cases, phishing messages were sent from previously compromised email accounts belonging to certain organizations.
When opened, archives display a decoy document for the victim, and malware is quietly loaded in the background using the DLL Side-Loading method.
The attack chains eventually install 3 families of previously unknown malware, PUBLOAD, TONEINS, and TONESHELL, which are capable of loading the next stage payload and remaining undetected. TONESHELL, the main backdoor, is installed via TONEINS and is a shellcode loader;
Cyber espionage group Earth Preta develops its own bootloaders in combination with existing PlugX and Cobalt Strike tools. Stolen confidential documents of victims can be used as initial vectors for subsequent intrusions. This strategy significantly expands the scope of the defeat in the region.
------
Representatives of the Chinese cyber-espionage community are becoming more experienced and sophisticated in circumventing security solutions.
This is the conclusion reached by experts from Trendmicro, who
resented anali recent campaigns by the pro-government Chinese group Earth Preta.
The subject of the threat has been active since at least 2012 and is tracked by a number of cybersecurity companies, such as Bronze President, HoneyMyte, Mustang Panda, RedDelta, and Red Lich.
The chain of attacks begins as usual, namely by sending out phishing emails in order to deploy a wide range of tools for organizing a backdoor, accessing C2, and extracting data.
As a rule, messages contain malicious attachments in the form of decoy archives distributed via Dropbox or Google Drive to download DLLs, LNK shortcuts, and files with fake extensions in order to gain a foothold in the system and then install one of the TONEINS, TONESHELL, PUBLLOAD, and MQsTTang (aka QMAGENT) backdoors.
Similar infection vectors with links to Google Drive were used in April 2021 to install Cobalt Strike.
According to experts, Earth Preta reinforces the tendency to hide the payload in fake files, disguising them as legitimate ones, as this method has proven effective in preventing detection.
This scenario with the original entry point was first noticed at the end of last year and has now received a small but very remarkable revision, in which the link to download the archive is embedded in another decoy document, and the final file is password-protected, which allows you to bypass scanning services.
Initial access to the environment is accompanied by a search for the victim's account and subsequent elevation of privileges, while attackers use custom tools such as ABPASS and CCPASS to bypass User Account Control (the user account control mechanism in Windows 10).
Among other things, hackers unravel the malware "USB Driver.exe" (HIUPAN or MISTCLOAK) and "rzlog4cpp.dll" (ACNSHELL or BLUEHAZE) to install on removable storage devices and create a reverse shell for horizontal movement in the network.
Other malicious utilities included: CLEXEC-a backdoor that can execute commands and clear event logs; COOLCLIENT and TROCLIENT-implants designed to record keystrokes, read and delete files; PlugX for distribution via USB drives.
The threat actor has also developed sophisticated custom tools used for exfiltration, such as NUPAKAGE and ZPAKAGE, both of which are equipped for collecting Microsoft Office files.
The results of the analysis once again emphasize the increased potential of Chinese APTs and their constant investment in improving their arsenal, and Earth Preta is a clear example of a threat actor that regularly improves its TTP, strengthens development capabilities and creates a universal set of malicious tools for cyber espionage activities.
------
Trend Micro continues tracking activity of the Chinese Earth Preta, better known in the research community as Mustang Panda (aka BASIN, Bronze President, Camaro Dragon, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TA416 and TEMP.Hex), which first came to the attention of researchers in 2017.
In a new observable campaign, ARTH attacked various Asian countries using a modified PlugX backdoor (aka Korplug, Mustang Panda's main tool) called DOPLUGS.
And earlier in the arsenal of the group there were also such PlugX variants as RedDelta, Thor and Hodur.
The main targets were located in Taiwan and Vietnam, and to a lesser extent in Hong Kong, India, Japan, Malaysia, Mongolia, and even China.
The professional activity of an attacker involves conducting carefully designed targeted phishing campaigns.
The infection chain begins with an email message as a channel for delivering useful data of the first stage, where the recipient is shown a decoy document, and in parallel a legally signed executable file is unpacked, vulnerable to side loading of the DLL, which, in turn, decrypts and executes PlugX.
In turn, PlugX extracts the Poison Ivy (RAT) or Cobalt Strike Beacon to establish a connection to the ART-controlled server.
In December 2023 Lab52 found it A Mustang Panda campaign targeting Taiwanese diplomatic and government organizations with DOPLUGS, but with a noticeable difference.
The malicious DLL was written in the Nim programming language. This new variant uses its own implementation of the RC4 algorithm to decrypt PlugX, unlike previous versions that used the Windows library. Cryptsp.dll.
DOPLUGS, first documented by Secureworks in September 2022, is a downloader with four backdoor commands, one of which is designed to download the main type of PlugX malware.
But in the new campaign, Trend Micro encountered DOPLUGS samples integrated with the module KillSomeOne, a plugin that is responsible for spreading malware, collecting information, and stealing documents via USB drives.
This variant is equipped with an additional component that runs a legitimate executable file to load unpublished DLLs, and also supports functionality for executing commands and downloading next-stage malware from the attacker's server.
It is worth noting that a modified version of PlugX, which includes the KillSomeOne module intended for distribution via USB, is also available. got it in the field of view of Avira back in January 2020, as part of an investigation into attacks aimed at Hong Kong and Vietnam.
In general, all this once again shows that Earth Preta is constantly honing its tools, expanding its functions and capabilities, which allows ART to maintain and increase activity, focusing on goals in Europe and Asia.
Researchers from the cybersecurity company Trend Micro have linked the Chinese group Mustang Panda to a series of targeted phishing attacks aimed at government, educational and research sectors around the world. The main targets of the attacks from May to October 2022 were countries in the Asia-Pacific region-Myanmar, Australia, the Philippines, Japan and Taiwan.
According to Trend Micro, Mustang Panda (also known as Bronze President, Earth Preta, HoneyMyte, and Red Lich) continues to evolve its methods of avoiding detection and deploying specialized malware.
Mustang Panda used fake Google accounts to distribute malware through phishing emails. The VPO is stored in an archive file (RAR / ZIP/JAR) and distributed via links to Google Drive.
Hackers gain initial access by using decoy documents that cover controversial geopolitical topics to encourage targeted organizations to download and run malware. In some cases, phishing messages were sent from previously compromised email accounts belonging to certain organizations.
When opened, archives display a decoy document for the victim, and malware is quietly loaded in the background using the DLL Side-Loading method.
The attack chains eventually install 3 families of previously unknown malware, PUBLOAD, TONEINS, and TONESHELL, which are capable of loading the next stage payload and remaining undetected. TONESHELL, the main backdoor, is installed via TONEINS and is a shellcode loader;
Cyber espionage group Earth Preta develops its own bootloaders in combination with existing PlugX and Cobalt Strike tools. Stolen confidential documents of victims can be used as initial vectors for subsequent intrusions. This strategy significantly expands the scope of the defeat in the region.
------
Representatives of the Chinese cyber-espionage community are becoming more experienced and sophisticated in circumventing security solutions.
This is the conclusion reached by experts from Trendmicro, who
resented anali recent campaigns by the pro-government Chinese group Earth Preta.The subject of the threat has been active since at least 2012 and is tracked by a number of cybersecurity companies, such as Bronze President, HoneyMyte, Mustang Panda, RedDelta, and Red Lich.
The chain of attacks begins as usual, namely by sending out phishing emails in order to deploy a wide range of tools for organizing a backdoor, accessing C2, and extracting data.
As a rule, messages contain malicious attachments in the form of decoy archives distributed via Dropbox or Google Drive to download DLLs, LNK shortcuts, and files with fake extensions in order to gain a foothold in the system and then install one of the TONEINS, TONESHELL, PUBLLOAD, and MQsTTang (aka QMAGENT) backdoors.
Similar infection vectors with links to Google Drive were used in April 2021 to install Cobalt Strike.
According to experts, Earth Preta reinforces the tendency to hide the payload in fake files, disguising them as legitimate ones, as this method has proven effective in preventing detection.
This scenario with the original entry point was first noticed at the end of last year and has now received a small but very remarkable revision, in which the link to download the archive is embedded in another decoy document, and the final file is password-protected, which allows you to bypass scanning services.
Initial access to the environment is accompanied by a search for the victim's account and subsequent elevation of privileges, while attackers use custom tools such as ABPASS and CCPASS to bypass User Account Control (the user account control mechanism in Windows 10).
Among other things, hackers unravel the malware "USB Driver.exe" (HIUPAN or MISTCLOAK) and "rzlog4cpp.dll" (ACNSHELL or BLUEHAZE) to install on removable storage devices and create a reverse shell for horizontal movement in the network.
Other malicious utilities included: CLEXEC-a backdoor that can execute commands and clear event logs; COOLCLIENT and TROCLIENT-implants designed to record keystrokes, read and delete files; PlugX for distribution via USB drives.
The threat actor has also developed sophisticated custom tools used for exfiltration, such as NUPAKAGE and ZPAKAGE, both of which are equipped for collecting Microsoft Office files.
The results of the analysis once again emphasize the increased potential of Chinese APTs and their constant investment in improving their arsenal, and Earth Preta is a clear example of a threat actor that regularly improves its TTP, strengthens development capabilities and creates a universal set of malicious tools for cyber espionage activities.
------
Trend Micro continues tracking activity of the Chinese Earth Preta, better known in the research community as Mustang Panda (aka BASIN, Bronze President, Camaro Dragon, HoneyMyte, RedDelta, Red Lich, Stately Taurus, TA416 and TEMP.Hex), which first came to the attention of researchers in 2017.
In a new observable campaign, ARTH attacked various Asian countries using a modified PlugX backdoor (aka Korplug, Mustang Panda's main tool) called DOPLUGS.
And earlier in the arsenal of the group there were also such PlugX variants as RedDelta, Thor and Hodur.
The main targets were located in Taiwan and Vietnam, and to a lesser extent in Hong Kong, India, Japan, Malaysia, Mongolia, and even China.
The professional activity of an attacker involves conducting carefully designed targeted phishing campaigns.
The infection chain begins with an email message as a channel for delivering useful data of the first stage, where the recipient is shown a decoy document, and in parallel a legally signed executable file is unpacked, vulnerable to side loading of the DLL, which, in turn, decrypts and executes PlugX.
In turn, PlugX extracts the Poison Ivy (RAT) or Cobalt Strike Beacon to establish a connection to the ART-controlled server.
In December 2023 Lab52 found it A Mustang Panda campaign targeting Taiwanese diplomatic and government organizations with DOPLUGS, but with a noticeable difference.
The malicious DLL was written in the Nim programming language. This new variant uses its own implementation of the RC4 algorithm to decrypt PlugX, unlike previous versions that used the Windows library. Cryptsp.dll.
DOPLUGS, first documented by Secureworks in September 2022, is a downloader with four backdoor commands, one of which is designed to download the main type of PlugX malware.
But in the new campaign, Trend Micro encountered DOPLUGS samples integrated with the module KillSomeOne, a plugin that is responsible for spreading malware, collecting information, and stealing documents via USB drives.
This variant is equipped with an additional component that runs a legitimate executable file to load unpublished DLLs, and also supports functionality for executing commands and downloading next-stage malware from the attacker's server.
It is worth noting that a modified version of PlugX, which includes the KillSomeOne module intended for distribution via USB, is also available. got it in the field of view of Avira back in January 2020, as part of an investigation into attacks aimed at Hong Kong and Vietnam.
In general, all this once again shows that Earth Preta is constantly honing its tools, expanding its functions and capabilities, which allows ART to maintain and increase activity, focusing on goals in Europe and Asia.
