The Chinese state-sponsored threat actor known as Mustang Panda is targeting government organizations and researchers around the world with three types of malware hosted on Google Drive, Dropbox, and the like. cloud storage (Opens in a new tab) Solution.
Trend Micro researchers recently discovered a device malware Campaign mostly targeting organizations located in Australia, Japan, Taiwan, Myanmar and the Philippines.
Mustang Panda launched in March 2022 and ran until at least October. Attackers will create phishing E-mail, send it to a fake address, while keeping the actual victim in CC. The researchers hypothesize that the attackers in this way wanted to reduce their chances of being caught Antivirus Email security tools and solutions and the like.
Malicious archive delivery
The report states: “The subject of the email may be empty or it may have the same name as the malicious archive.” “Instead of adding victims’ addresses to the ‘to’ email address, the threat actors used fake emails. Meanwhile, the addresses of real victims were written in the ‘CC’ address, potentially avoiding security analysis and slowing down investigations.”
Another thing they have done to avoid detection is to store the malware on legitimate cloud storage solutions, in a .ZIP or .RAR file, as these platforms are usually whitelisted by security tools. However, if the victim falls for the trick, downloads the archive file and runs it, they will get access to these three dedicated strains of malware: PubLoad, ToneIns, and ToneShell.
PubLoad is a storage device, which is used to download the next hop payload from its C2 server. It also adds new registry keys and scheduled tasks to establish continuity. ToneIns is an installer for ToneShell, which is the main backdoor. Although the process may seem very complex, it acts as an anti-sandbox mechanism, the researchers explain, because the backdoor will not be executed in a debug environment.
The main job of malware is to upload, download, and execute files. It can create shells to exchange intranet data, or change the sleep configuration, among other things. The malware recently got two new features, researchers say, which indicates that Mustang Panda is hard at work improving its toolkit and becoming more dangerous by the day.
Across: Computer (Opens in a new tab)