HQ/EMEAFind out how we can help your business
A recent report stated that the Mustang Panda group allegedly used a unique stager sample composed of malicious toolsets that temporarily store exfiltrated information.
According to investigations, the distribution origin is an FTP server in a transition stage for various exfiltrated data daily. Most of the information stored within the stager includes documents, webmail, and recordings.
Additionally, this attack focuses on the Burmese government and victims related to Myanmar. The researchers found the attackers dumping American, European, and Asian passports owned by diplomats and citizens applying for the Burmese visa.
Other targets of these attacks include the Myanmar law enforcement agency, the Bureau of Air Defense, Myanmar Armed Forces, Myanmar Army Engineering, the United Wa State Army, the Office of the State Administrative Council, the Department of Special Investigation, and the Office of the Information Police Chief.
The Mustang Panda campaign matches Hodur’s current operation.
Mustang Panda’s file was observed to have similarities with Hodur’s files. Hodur is a Korplug malware variant targeting several government agencies in Asian countries like Mongolia, Myanmar, and Vietnam.
Other researchers found that some samples share similarities with campaigns from another Chinese APT called LuminousMoth. Both campaigns use similar binaries for sideloading and identical exfiltration patterns. However, using a USB launcher coded in Delphi was the most unusual pattern, which researchers have linked to Mustang Panda.
In other cases, researchers discovered minimal connections to older campaigns, such as Operation Harvest or Operation NightScout. Some samples could be linked to Mustang Panda with high probability since the payloads vary significantly.
Mustang Panda is a notorious advanced persistent threat group that many researchers discovered has a high volume of methods used to propagate malware. These attackers have been focusing on compromising high-profile Burmese organisations, NGOs, and government oppositions.
Researchers emphasised that the high volume of exfiltrated information and the language barriers could result in an unfinished investigation; therefore, the list of targets may increase soon.
