The menace actor tracked as Mustang Panda has refined its malware arsenal to incorporate new instruments with a purpose to facilitate information exfiltration and the deployment of next-stage payloads, in keeping with new findings from Pattern Micro.
The cybersecurity agency, which is monitoring the exercise cluster beneath the identify Earth Preta, mentioned it noticed “the propagation of PUBLOAD via a variant of the worm HIUPAN.”
PUBLOAD is a identified downloader malware linked to Mustang Panda since early 2022, deployed as a part of cyber assaults focusing on authorities entities within the Asia-Pacific (APAC) area to ship the PlugX malware.
“PUBLOAD was also used to introduce supplemental tools into the targets’ environment, such as FDMTP to serve as a secondary control tool, which was observed to perform similar tasks as that of PUBLOAD; and PTSOCKET, a tool used as an alternative exfiltration option,” safety researchers Lenart Bermejo, Sunny Lu, and Ted Lee mentioned.
Mustang Panda’s use of detachable drives as a propagation vector for HIUPAN was beforehand documented by Pattern Micro in March 2023. It is tracked by Google-owned Mandiant as MISTCLOAK, which it noticed in reference to a cyber espionage marketing campaign focusing on the Philippines which will have commenced way back to September 2021.
PUBLOAD is provided with options to conduct reconnaissance of the contaminated community and harvest recordsdata of curiosity (.doc, .docx, .xls, .xlsx, .pdf, .ppt, and .pptx), whereas additionally serving as a conduit for a brand new hacking software dubbed FDMTP, which is a “simple malware downloader” carried out primarily based on TouchSocket over Duplex Message Transport Protocol (DMTP).
The captured data is compressed into an RAR archive and exfiltrated to an attacker-controlled FTP website by way of cURL. Alternatively, Mustang Panda has additionally been noticed deploying a customized program named PTSOCKET that may switch recordsdata in multi-thread mode.
Moreover, Pattern Micro has attributed the adversary to a “fast-paced” spear-phishing marketing campaign that it detected in June 2024 as distributing electronic mail messages containing a .url attachment, which, when launched, is used to ship a signed downloader dubbed DOWNBAIT.
The marketing campaign is believed to have focused Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan primarily based on the filenames and content material of the decoy paperwork used.
DOWNBAIT is a first-stage loader software that is used to retrieve and execute the PULLBAIT shellcode in reminiscence, which subsequently downloads and runs the first-stage backdoor known as CBROVER.
The implant, for its half, helps file obtain and distant shell execution capabilities, alongside performing as a supply car for the PlugX distant entry trojan (RAT). PlugX then takes care of deploying one other bespoke file collector referred to as FILESAC that may acquire the sufferer’s recordsdata.
The disclosure comes as Palo Alto Networks Unit 42 detailed Mustang Panda’s abuse of Visible Studio Code’s embedded reverse shell characteristic to realize a foothold in goal networks, indicating that the menace actor is actively tweaking its modus operandi.
“Earth Preta has shown significant advancements in their malware deployment and strategies, particularly in their campaigns targeting government entities,” the researchers mentioned. “The group has evolved their tactics, […] leveraging multi-stage downloaders (from DOWNBAIT to PlugX) and possibly exploiting Microsoft’s cloud services for data exfiltration.”
