![]() Upon execution of the legitimate application, the threat loads a malicious DLL loader in a specific set order, which the threat actor has strategically placed in the same folder to replace a legitimate one. In two out of the three RAR files, the DAT file masqueraded as a different file format, such as JSON or CHM. Each legitimate application was bundled with a DLL and a data file. We noted threat actors had used three separate legitimate applications within our RAR files A free VPN service, and two legitimate HP applications related to HP’s Digital Imaging. This action then deploys the PlugX implant into memory. This actor has commonly employed the stealthy technique of side-loading the malicious DLLs into legitimate applications during execution. This group delivers the PlugX implant in the form of an encrypted data blob, which is typically paired with a DLL loader as well as a benign application. It is the malware of choice for the Chinese APT group Mustang Panda. PlugX is a remote access tool (RAT) used by several threat groups. These files had a relatively low detection ratio on VirusTotal (VT), and as shown in Figure 2, they followed a naming convention designed to make them appear to be legitimate utilities relating to Hewlett-Packard (HP) printers.įigure 4 – VirusTotal graph of network infrastructure What is PlugX? The files found to be communicating with this site were encompassed in several. In late May of this year, BlackBerry detected some unusual network traffic to a domain – At first glance, this URL appeared to be a Myanmar news website. Once threat actors gain a foothold within a target organization, they typically deploy one of a variety of payloads such as Cobalt Strike, Poison Ivy, or PlugX, the latter of which is used most extensively. These documents are usually designed to mimic those of the targeted country or organization, or even current world affairs applicable to that region. Mustang Panda typically sends phishing emails with malicious document attachments as an initial infection vector. and beyond.įigure 1 – Partial map of countries previously targeted by Mustang Panda Mustang Panda Attack Vector Their targets have included Government and Non-Government Organizations (NGO) in many locations around the world, from various states in Southeast Asia to the European Union to the U.S. This group conducted malware campaigns as far back as 2012, which primarily related to cyber-espionage. Mustang Panda (aka HoneyMyte, Bronze President or Red Delta) is a prolific APT group that has been publicly attributed as being based in China. These tactics, techniques, and procedures (TTPs), along with other corroborating evidence – such as a previous indication that the group was active in this location – lead us to assert with reasonable confidence that the China-based threat group known as Mustang Panda is responsible for this campaign Mustang Panda: an Origin Story This is not the first time a campaign targeting this state has impersonated Myanmar news outlets or used PlugX malware. Our team analyzed the samples in question and found their embedded configurations revealed a set of command-and-control (C2) domains that masquerade as Myanmar news outlets. The BlackBerry Research & Intelligence Team recently uncovered a campaign by an advanced persistent threat (APT) group called Mustang Panda that is leveraging the PlugX malware family to target the Southeast Asian state of Myanmar. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |