Trend Micro researchers detailed a new campaign of Mustang Panda – a Chinese APT that’s targeting several government organizations across the world.

Researchers noted how well the threat actor is developing over time, with the usage of new backdoors that use legitimate file hosting sites for evading detection and are sophisticated enough to perform its operations. Here’s more;

Mustang Panda New Campaign

Mustang Panda, also known as the Bronze President or TA416, has been operating since March this year in several parts of the world. The Chinese APT has been linked to various attacks in recent months, with the Trend Micro researchers releasing a fresh report on their new campaign.

As per it, the threat actor is seen targeting government, research, and academic organizations in Australia, Japan, Taiwan, Myanmar, and the Philippines, with their malware, hosted in legitimate file hosting platforms like Google Drive or Dropbox.

They’re said to be using Google accounts to send emails to their targets, with a subject something related to geopolitical issues – as most of them (84%) are targeted against the government or legal organizations.

The embedded malware links are hosted in Google Drive or Dropbox folders, which are not often flagged by security software due to their good reputation. And with several lures, the targets are asked to download those compressed files with RAR, ZIP, or JAR extensions, which unpack themselves as ToneShell, ToneIns, and PubLoad.

While unpacking, the malware shows a decoy document on the screen to avoid suspicion while running its process in the background. While Cisco researchers noted PubLoad in their previous documentation from May 2022, the existence of ToneShell and ToneIns are found in the latest one.

The usage of ToneShell or Tonelns defines the level of sophistication threat actors are upto, as they contain obfuscated code, anti-analysis mechanisms, and others to avoid detection.

Moreover, threat actors in the latest campaign are sending emails to targets by addressing them in CC space – instead of To fields, where most of the investigations are done in case of an attack scene. All these define that Mustang Panda is actively working on improving its tool.

Once installed in the target system, ToneShell, the smart backdoor will assign a victim ID for the threat actor to track and awaits the instructions. These include uploading, downloading, and executing files, creating shells for intranet data exchange, changing sleep configuration, and more.

Researchers noted that the TTPs of this campaign aligns with that of the Secureworks report from September 2022, which tracked a previous campaign of Mustang Panda.


Please enter your comment!
Please enter your name here