• XRATOR
  • Our Experts
  • Contact Us
  • Privacy & Policy
Conquer your risk
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
  • Home
  • Articles
  • News
  • Research
  • State of the art
No Result
View All Result
Conquer your risk
No Result
View All Result
Home Threat Intelligence

Mustang Panda’s sophisticated operations in 2022

Unraveling the Cyber Espionage Campaigns of Mustang Panda/Earth Preta: Threat Actor Targeting Asian Countries with Custom Malware Tools.

Gwendal SmithbyGwendal Smith
February 21, 2023
in Articles, Cyber Attacks, Cybercrime, Malware, Threat Intelligence
0
Mustang Panda’s sophisticated operations in 2022

Mustang Panda, also known as Bronze President (Secureworks) and Earth Preta (Trend Micro), is a state-sponsored advanced persistent threat (APT) group that has been active since at least 2017. The group primarily targets organizations in Southeast Asia, with a focus on government, military, and diplomatic entities.

Blackberry and Trend Micro have conducted independent research on Mustang Panda/Earth Preta’s tactics, techniques, and procedures (TTPs), and have identified various malware strains associated with the group, including TONESHELL, TONEINS, PUBLOAD, and related backdoors.

The group has been observed using various social engineering tactics, such as spear-phishing, to deliver their malware. Once they gain access to a target’s system, the group uses persistence mechanisms, including registry keys and scheduled tasks, to maintain access and exfiltrate sensitive data.

Both Blackberry and Trend Micro have observed overlaps in the group’s TTPs, including the use of .lnk files and benign executables for DLL sideloading, as well as malicious archives for arrival vectors. The two reports also note that the group uses stagers to download and execute payloads from their command-and-control (C2) servers.

Key Findings

  • Mustang Panda / Bronze President / Earth Preta are state-sponsored Chinese APT groups that have been active since at least 2016.
  • The groups primarily target government and military organizations, as well as corporations in the technology, healthcare, and telecommunications sectors.
  • The groups use a variety of TTPs, including spear-phishing, backdoors, and stagers to gain access to their targets’ systems and steal sensitive information.
  • The groups have been observed using multiple custom malware families, including TONESHELL, TONEINS, and PUBLOAD.
  • The groups are constantly updating their toolsets and expanding their capabilities.

Timeline of Activities

  • 2016: Mustang Panda is first observed targeting Tibetan organizations.
  • 2017: Bronze President is observed targeting the United Nations.
  • 2018: Earth Preta is first observed targeting organizations in Southeast Asia.
  • 2019: Mustang Panda is observed targeting a Japanese video game company.
  • 2020: Earth Preta is observed targeting a Southeast Asian government agency.
  • 2021: TONESHELL malware is first observed being used by Earth Preta.
  • 2022: Multiple security firms report on the groups’ activities, including Blackberry and Trend Micro.

Mustang Panda surfing on the Russian-Ukrainian war

Blackberry researchers discovered that Mustang Panda (also known as Bronze President or APT27) has been targeting the aerospace and defense industries in the United States and Europe using a variety of custom malware tools. The group’s operations started in early 2021 and continued through mid-2022.

The group’s tactics include spear-phishing campaigns using weaponized Microsoft Office documents, as well as exploiting known vulnerabilities in popular software applications to gain initial access. Once inside a victim’s network, Mustang Panda uses a variety of custom malware tools, including a backdoor called “Waterfall,” to maintain persistence and move laterally through the network.

In addition to stealing sensitive data, Mustang Panda has been observed deploying ransomware in some cases as an additional means of monetizing their access. The group also appears to have a focus on stealing sensitive data related to military technology and aerospace engineering.

Blackberry’s research paints a picture of a highly sophisticated and persistent threat actor with a clear focus on stealing intellectual property from the aerospace and defense industries.

A new strain of custom malware

According to Trend Micro, the threat actor has been targeting organizations in Southeast Asia, specifically those in the Philippines, Vietnam, and Myanmar, with a focus on the government, military, and financial sectors.

Trend Micro has identified several malware families associated with Mustang Panda, including TONEINS, TONESHELL, and PUBLOAD. TONEINS is an installer for the TONESHELL backdoor, which establishes persistence and drops the TONESHELL malware to the %PUBLIC% folder. TONESHELL is a shellcode loader that loads and decodes the backdoor shellcode with a 32-byte key in memory. PUBLOAD is a stager that can download the next-stage payload from its command-and-control (C&C) server.

Mustang Panda’s tactics, techniques, and procedures (TTPs) include the use of malicious archives, DLL sideloading, and the abuse of benign executables for persistence. The group also leverages APIs with a callback function argument to invoke shellcode and has been known to abuse .lnk files to trigger malware.

Trend Micro has observed Mustang Panda targeting victims using a combination of spear-phishing emails and watering hole attacks. The group has also been observed using stolen sensitive documents as entry vectors for the next wave of intrusions.

The threat actor has been updating its toolsets and expanding its capabilities, indicating that it is an active and ongoing threat.

Mitigation Strategies

  • Implement continuous phishing awareness training for partners and employees.
  • Always check the sender and subject twice before opening an email, especially with an unidentifiable sender or an unknown subject.
  • Use a multi-layered protection solution to detect and block threats as early as possible.
  • Maintain up-to-date antivirus and anti-malware software.
  • Regularly update software and systems to patch known vulnerabilities.
  • Use risk-based vulnerability management to prioritize vulnerability remediation.
  • Monitor network traffic and system logs for any signs of suspicious activity.
  • Set up an attack surface monitoring program.
  • Anticipate cyber attacks with Threat Intelligence and Threat Modeling

Conclusion

The activities of Mustang Panda (aka Bronze President, and Earth Preta) highlight the ongoing threat posed by state-sponsored APT groups. These groups are constantly evolving and updating their tactics to evade detection, and are likely to remain a significant threat to organizations in the coming years. It is crucial that organizations maintain a robust cybersecurity posture and implement appropriate mitigation strategies to protect their networks and sensitive information.

Tags: APTAPT27ASEANBronze PresidentEarth PretaGeopoliticsMustang PandaPhishingPUBLOADRussiaTONEINSTONESHELLUkraineWatering hole

Categories

  • Cybercrime
  • Malware
  • Vulnerability & Weakness
  • Threat Intelligence
  • Cyber Attacks
  • Cybersecurity
  • Offensive Security
  • Risk Management
  • Cyberdefense
  • Cyber Insurance

Popular News

  • The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    The H-Factor: Turning Human Into The Strongest Link Of Your Cybersecurity Strategy

    0 shares
    Share 0 Tweet 0
  • Understanding and Mitigating the Risk of Computer Memory Exploitation

    0 shares
    Share 0 Tweet 0
  • Three Social Impacts of Ransomware Operations

    0 shares
    Share 0 Tweet 0
  • Methods to Conduct an Insider Threat Risk Assessment

    0 shares
    Share 0 Tweet 0
  • Why Lockbit does fake cyberattacks ?

    0 shares
    Share 0 Tweet 0

"Conquer Your Risk" is a corporate blog for Cybersecurity and Risk Management executives and specialists, sharing XRATOR experts' views on Cybersecurity, Threat Intelligence, Risk Management and Cyber Insurance.

Categories

  • Articles
  • Cyber Attacks
  • Cyber Insurance
  • Cybercrime
  • Cyberdefense
  • Cybersecurity
  • Malware
  • News
  • Offensive Security
  • Research
  • Risk Management
  • Scams
  • State of the art
  • Threat Intelligence
  • Vulnerability & Weakness

Quick Links

  • XRATOR
  • Our Experts
  • Privacy Policy
  • Contact Us

XRATOR® – copyright 2020-2021

No Result
View All Result
  • Contact Us
  • Homepages

© 2018 JNews by Jegtheme.

Manage Cookie Consent
We use cookies to optimize our website and our service.
By closing this windows, you automatically deny non-functionals cookies.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}
Manage Cookie Consent
We use cookies to optimize our website and our service.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
Preferences
{title} {title} {title}