A RAR file associated with the advanced persistent (APT) group Mustang Panda was found by researchers. The decoy file titled Political Guidance for the new EU approach towards Russia.rar is suspected to carry the typical PlugX infection chain to launch a phishing attack on targets from Europe and the Asia Pacific.
The BlackBerry Threat Research and Intelligence team published a blog post featuring the details of the found samples. The decoy documents matched the naming convention of the RAR, and other findings, such as infrastructure, and network artifacts pointed toward the tactics, techniques, and procedures (TTPs) used by the Mustang Panda group.
Details of the samples found
The network infrastructure used web-based command and control and led to DLL loaders and encrypted .dat payloads.
The current event-themed phishing emails were sent to targets from industries into mining, CDN companies, internet service providers, internet security firms, web hosting companies, telecoms, and education. Its emails delivered a PlugX payload leading to DLL search hijacking.
The double file extension used in the .LNK file is suspected to be used for disguising the shortcut file as a document so the target would open it. The shortcut file would have a command that would initiate the execution of the attack chain:
“C:\Windows\System32\cmd.exe /c “_\___\_\___\______\_____\__\test11.bpu||(forfiles /^P %USERPROFILE%\ /S /^M “Political Guidance for the new EU approach towards Russia.rar” /C “cmd /c (c:\progra~1\7-Zip\7z x -y -aoa @path||c:\progra~2\7-Zip\7z x -y -aoa @path”
The PlugX payload gets decrypted, and it passes execution to the payload. The configuration also gets decrypted into the memory. Fifteen other IP addresses using the same SSL certificate were found. Five were used as C2 servers. The SSL certificate was first seen on 2022-02-27, according to previous research. Researchers found these details at this stage:
- IP address: 5[.]34[.]178[.]156
- Campaign ID: test222
- C2 IP address: 5[.]34[.]178[.]156
- SHA256: F70d3601fb456a18ed7e7ed599d10783447016da78234f5dca61b8bd3a084a15
The Mustang Panda
The Mustang Panda group is also known as HoneyMyte, Red Delta, and Bronze President. They are associated with Chinese state-backed cyber espionage, and their cyberattacks date back to 2012. This group often targets government and private sector industries across the world. Southeast Asia, European Union, the United States, and Vietnam.
Among the current events, the COVID-19 pandemic and international summits were used by the group to lure targets. The group seems to be using the war between Russia and Ukraine for creating decoy documents to win the trust of the target.