A Chinese state-sponsored threat actor known as Mustang Panda is targeting government organizations and researchers around the world with three malware variants hosted on Google Drive, Dropbox, and similar cloud storage solutions.
Trend Micro researchers recently spotted the new malware campaign, targeting mostly organizations located in Australia, Japan, Taiwan, Myanmar, and the Philippines.
Mustang Panda was initiated in March 2022 and has lasted until at least October. The attackers would create a phishing email, send it to a bogus address, while keeping the actual victim in CC. That way, the researchers assume, the attackers wanted to minimize the chances of being picked up by antivirus tools, email security solutions, and similar.
Delivering malicious archives
“The email’s subject might be empty or might have the same name as the malicious archive,” the report states. “Rather than add the victims’ addresses to the email’s “To” header, the threat actors used fake emails. Meanwhile, the real victims’ addresses were written in the “CC” header, likely to evade security analysis and slow down investigations.”
Another thing they did to avoid detection is store the malware on legitimate cloud storage solutions, in a .ZIP or .RAR file, as these platforms are usually whitelisted by security tools. However, should the victim fall for the trick, download and run the archive file, they’d be getting these three custom malware strains: PubLoad, ToneIns, and ToneShell.
PubLoad is a stager, used to download the next-stage payload from its C2 server. It also adds new registry keys and scheduled tasks to establish persistence. ToneIns is an installer for ToneShell, which is the main backdoor. While the process might sound overly complex, it works as an anti-sandbox mechanism, the researchers explained, as the backdoor won’t execute in a debugging environment.
The malware’s main job is to upload, download, and execute files. It can create shells for intranet data exchange, or change sleep configuration, among other things. The malware’s gotten a couple of new features lately, the researchers are saying, suggesting that Mustang Panda is hard at work, improving its toolkit and growing more dangerous by the day.
These are the best identity theft protection programs right now