The political situation between the two countries forces China to deploy its own intelligence officers.
In November 2023 and January 2024, the Ministry of Defense and the Ministry of Foreign Affairs of Myanmar were targeted by cyber attacks allegedly carried out by the Chinese hacker group Mustang Panda. This was reported by the CSIRT-CTI team after analyzing artifacts related to attacks that were uploaded to the VirusTotal platform.
The main method of hackers was to use legitimate software, including a binary file developed by the engineering firm Bernecker & Rainer (B&R) and a component of the Windows 10 update assistant to download malicious DLL libraries.
Mustang Panda (Stately Taurus, Camaro Dragon, Bronze President) has been active since 2012. In recent months, the group has been credited with attacks targeting governments in Southeast Asia and the Philippines to introduce backdoors to collect sensitive information.
The first attack in November 2023 began with a phishing email with an attachment in the form of a ZIP archive containing a legitimate executable file (Analysis of the third meeting of NDSC.exe), originally signed by B&R Industrial Automation GmbH, and a DLL file (BrMod104.dll).
The attack uses the fact that the binary file is subject to DLL Search Order Hijacking to load the malicious DLL and subsequently establish persistence and contact with the Command and Control server (C2), and then deploy the PUBLOAD backdoor in the system, which, in turn, acts as a special one loader for delivering the PlugX implant .
Hackers tried to disguise the C2 server traffic as Microsoft update traffic by adding the headers " Host: www[.]asia[.]microsoft[.]com» и «User-Agent: Windows-Update-Agent».
The second attack in January used an optical disk image (ASEAN Notes.iso), which contains LNK shortcuts for launching a multi-step process using another specialized TONESHELL loader for possible installation of PlugX from an already unavailable C2 server, as suggested by experts.
Following rebel attacks in northern Myanmar in October 2023, China expressed concern about the impact of these events on trade routes and security along the Myanmar-China border. Stately Taurus operations are known to align with the Chinese government's geopolitical interests, including numerous espionage campaigns against Myanmar.
In November 2023 and January 2024, the Ministry of Defense and the Ministry of Foreign Affairs of Myanmar were targeted by cyber attacks allegedly carried out by the Chinese hacker group Mustang Panda. This was reported by the CSIRT-CTI team after analyzing artifacts related to attacks that were uploaded to the VirusTotal platform.
The main method of hackers was to use legitimate software, including a binary file developed by the engineering firm Bernecker & Rainer (B&R) and a component of the Windows 10 update assistant to download malicious DLL libraries.
Mustang Panda (Stately Taurus, Camaro Dragon, Bronze President) has been active since 2012. In recent months, the group has been credited with attacks targeting governments in Southeast Asia and the Philippines to introduce backdoors to collect sensitive information.
The first attack in November 2023 began with a phishing email with an attachment in the form of a ZIP archive containing a legitimate executable file (Analysis of the third meeting of NDSC.exe), originally signed by B&R Industrial Automation GmbH, and a DLL file (BrMod104.dll).
The attack uses the fact that the binary file is subject to DLL Search Order Hijacking to load the malicious DLL and subsequently establish persistence and contact with the Command and Control server (C2), and then deploy the PUBLOAD backdoor in the system, which, in turn, acts as a special one loader for delivering the PlugX implant .
Hackers tried to disguise the C2 server traffic as Microsoft update traffic by adding the headers " Host: www[.]asia[.]microsoft[.]com» и «User-Agent: Windows-Update-Agent».
The second attack in January used an optical disk image (ASEAN Notes.iso), which contains LNK shortcuts for launching a multi-step process using another specialized TONESHELL loader for possible installation of PlugX from an already unavailable C2 server, as suggested by experts.
Following rebel attacks in northern Myanmar in October 2023, China expressed concern about the impact of these events on trade routes and security along the Myanmar-China border. Stately Taurus operations are known to align with the Chinese government's geopolitical interests, including numerous espionage campaigns against Myanmar.
