China state-backed group Mustang Panda has been exploiting Google Drive to launch spear phishing attacks on government, educational and research-based institutes, researchers found. According to Heimdal Security, the hacker collective tricked employees from government and legal organizations via Google drive links sent in fraudulent emails. The malicious files were in the form of JAR, RAR, or ZIP format that were injected with PubLoad-specific malware along with ToneShell and ToneIns.
These cyberattacks were observed between March and October 2022 and mainly targeted Australia, Japan, Myanmar, the Philippines, and Taiwan. Fake emails were sent using Gmail urging targets to download the malicious files under the guise of pressing social and political issues related emails. The subject lines were altered with geopolitical themes. Researchers found nearly 84% of this group’s target included government or legal entities.
The Mustang Panda Group
The Mustang Panda group has been known to use current events and themed lures to grab the attention of its target often from Europe, the United States of America, and Asia. The group is also called RedDelta, HoneyMyte, and Bronze President and has been active since 2012.
Several organizations from think tanks, NGOs, and Catholic organizations, including government bodies, have been victimized by this group. Its Asian targets include Taiwan, Hong Kong, Mongolia, Tibet, Myanmar, Afghanistan, and India, among others.
Mustang Panda has also impersonated the Council of the European Union, as seen in the image below. The group sent fraudulent press releases in the agency’s name to win the trust of government staff.
This bait consisted of a fraudulent press release sending state aid to Greece.
The Mustang Panda Group has used pressing issues and targeted high-profile government agencies and employees for cyberespionage. Some Asian-themed lures were related to the ASEAN summit, which consisted of about ten member countries within the cyberattack’s purview.
American-themed lures targeted the United States Asst Secretary of State with malicious files such as ‘Biden’s attitude towards the situation in Myanmar.zip’ using payloads to infect the users’ devices.
The role of the Myanmar news website
Researchers at Blackberry found that a set of command-and-control domains were falsely shown belonging to Myanmar news outlets. Mustang Panda Group is known to send socially engineered phishing emails that are crafted keeping the present times, such as crucial or pressing events, in mind. They have also impersonated COVID-19 helplines to launch the Korplug or PlugX RAT for data exfiltration and deletion.
Based on some samples retrieved, it was found that the Mustang Panda group used www[.]myanmarnewsonline[.]org, which, even though it appeared to be a news website, was, in fact, being sent a flood of traffic using .RAR files. With a low detection rate on VirusTotal, these files renamed themselves to appear legitimate such as Hewlett-Packard printer files. Infected with PlugX payload these .RAR files pair with DLLs to exploit the behavior of apps in the system.
The group has been using several other legitimate applications, such as a free VPN service, to decrypt, load, and deploy malicious PlugX implants. Such attacks help the group collect all the required data, redirect the user to desired web pages, and data theft using Google drive.