Mustang Panda, also known as Bronze President (Secureworks) and Earth Preta (Trend Micro), is a state-sponsored advanced persistent threat (APT) group that has been active since at least 2017. The group primarily targets organizations in Southeast Asia, with a focus on government, military, and diplomatic entities.
Blackberry and Trend Micro have conducted independent research on Mustang Panda/Earth Preta’s tactics, techniques, and procedures (TTPs), and have identified various malware strains associated with the group, including TONESHELL, TONEINS, PUBLOAD, and related backdoors.
The group has been observed using various social engineering tactics, such as spear-phishing, to deliver their malware. Once they gain access to a target’s system, the group uses persistence mechanisms, including registry keys and scheduled tasks, to maintain access and exfiltrate sensitive data.
Both Blackberry and Trend Micro have observed overlaps in the group’s TTPs, including the use of .lnk files and benign executables for DLL sideloading, as well as malicious archives for arrival vectors. The two reports also note that the group uses stagers to download and execute payloads from their command-and-control (C2) servers.
- Mustang Panda / Bronze President / Earth Preta are state-sponsored Chinese APT groups that have been active since at least 2016.
- The groups primarily target government and military organizations, as well as corporations in the technology, healthcare, and telecommunications sectors.
- The groups use a variety of TTPs, including spear-phishing, backdoors, and stagers to gain access to their targets’ systems and steal sensitive information.
- The groups have been observed using multiple custom malware families, including TONESHELL, TONEINS, and PUBLOAD.
- The groups are constantly updating their toolsets and expanding their capabilities.
Timeline of Activities
- 2016: Mustang Panda is first observed targeting Tibetan organizations.
- 2017: Bronze President is observed targeting the United Nations.
- 2018: Earth Preta is first observed targeting organizations in Southeast Asia.
- 2019: Mustang Panda is observed targeting a Japanese video game company.
- 2020: Earth Preta is observed targeting a Southeast Asian government agency.
- 2021: TONESHELL malware is first observed being used by Earth Preta.
- 2022: Multiple security firms report on the groups’ activities, including Blackberry and Trend Micro.
Mustang Panda surfing on the Russian-Ukrainian war
Blackberry researchers discovered that Mustang Panda (also known as Bronze President or APT27) has been targeting the aerospace and defense industries in the United States and Europe using a variety of custom malware tools. The group’s operations started in early 2021 and continued through mid-2022.
The group’s tactics include spear-phishing campaigns using weaponized Microsoft Office documents, as well as exploiting known vulnerabilities in popular software applications to gain initial access. Once inside a victim’s network, Mustang Panda uses a variety of custom malware tools, including a backdoor called “Waterfall,” to maintain persistence and move laterally through the network.
In addition to stealing sensitive data, Mustang Panda has been observed deploying ransomware in some cases as an additional means of monetizing their access. The group also appears to have a focus on stealing sensitive data related to military technology and aerospace engineering.
Blackberry’s research paints a picture of a highly sophisticated and persistent threat actor with a clear focus on stealing intellectual property from the aerospace and defense industries.
A new strain of custom malware
According to Trend Micro, the threat actor has been targeting organizations in Southeast Asia, specifically those in the Philippines, Vietnam, and Myanmar, with a focus on the government, military, and financial sectors.
Trend Micro has identified several malware families associated with Mustang Panda, including TONEINS, TONESHELL, and PUBLOAD. TONEINS is an installer for the TONESHELL backdoor, which establishes persistence and drops the TONESHELL malware to the %PUBLIC% folder. TONESHELL is a shellcode loader that loads and decodes the backdoor shellcode with a 32-byte key in memory. PUBLOAD is a stager that can download the next-stage payload from its command-and-control (C&C) server.
Mustang Panda’s tactics, techniques, and procedures (TTPs) include the use of malicious archives, DLL sideloading, and the abuse of benign executables for persistence. The group also leverages APIs with a callback function argument to invoke shellcode and has been known to abuse .lnk files to trigger malware.
Trend Micro has observed Mustang Panda targeting victims using a combination of spear-phishing emails and watering hole attacks. The group has also been observed using stolen sensitive documents as entry vectors for the next wave of intrusions.
The threat actor has been updating its toolsets and expanding its capabilities, indicating that it is an active and ongoing threat.
- Implement continuous phishing awareness training for partners and employees.
- Always check the sender and subject twice before opening an email, especially with an unidentifiable sender or an unknown subject.
- Use a multi-layered protection solution to detect and block threats as early as possible.
- Maintain up-to-date antivirus and anti-malware software.
- Regularly update software and systems to patch known vulnerabilities.
- Use risk-based vulnerability management to prioritize vulnerability remediation.
- Monitor network traffic and system logs for any signs of suspicious activity.
- Set up an attack surface monitoring program.
- Anticipate cyber attacks with Threat Intelligence and Threat Modeling
The activities of Mustang Panda (aka Bronze President, and Earth Preta) highlight the ongoing threat posed by state-sponsored APT groups. These groups are constantly evolving and updating their tactics to evade detection, and are likely to remain a significant threat to organizations in the coming years. It is crucial that organizations maintain a robust cybersecurity posture and implement appropriate mitigation strategies to protect their networks and sensitive information.