Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home APT

Mustang Panda (APT) – Threat Actor

May 14, 2024
Reading Time: 5 mins read
in APT, Threat Actors
Mustang Panda (APT) – Threat Actor

Mustang Panda

Other Names

BASIN, BRONZE PRESIDENT, Earth Preta, HoneyMyte, LuminousMoth, Polaris, Red Lich, Stately Taurus, TA416, TANTALUM, TEMP.HEX, Twill Typhoon, Camaro Dragon, RedDelta

Location

China

Date of initial activity

2011

Suspected attribution

Chinese state-sponsored espionage group

Motivation

Cyber-espionage driven by a combination of political, economic, and strategic motivations aimed at bolstering China’s national interests on the global stage.

Associated tools

Cobalt Strike
PlugX
PoisonIvy
RCSession
NBTscan

Software

Windows

Systems targeted

Windows

Active

Yes

Overview

Mustang Panda is a notable cyber espionage group believed to operate out of China, specializing in targeted attacks against government agencies, non-governmental organizations (NGOs), and other entities across multiple countries globally. First observed in 2017, but potentially active since 2014, the group has gained infamy for its sophisticated tactics and persistent targeting of sensitive sectors including defense, diplomacy, and human rights advocacy.

The group’s operational scope spans a wide geographical range, targeting organizations in the United States, Europe, Mongolia, Myanmar, Pakistan, Vietnam, and likely others. Their targets typically include entities involved in political affairs, international relations, and humanitarian causes, suggesting a strategic interest in geopolitical intelligence and influence.

Mustang Panda’s operational playbook involves leveraging advanced techniques such as spearphishing campaigns tailored to specific targets. These campaigns often involve the distribution of malicious attachments or links designed to exploit vulnerabilities and gain initial access to targeted systems. Once inside a network, they deploy a variety of tools and tactics to maintain persistence and exfiltrate sensitive data discreetly.

To ensure ongoing access, Mustang Panda utilizes sophisticated methods like creating registry keys for autostart capabilities, employing PowerShell scripts for automation, and exploiting legitimate remote access tools such as TeamViewer. They also demonstrate a proficiency in evading detection through techniques like DLL side-loading, masquerading using legitimate file names, and encrypting communications to conceal malicious activities.

The group’s use of advanced malware strains and their ability to adapt quickly to security measures make them a persistent threat in the cybersecurity landscape. Their operations are characterized by a high level of organization, technical expertise, and strategic targeting aligned with state-sponsored cyber espionage objectives.

Common targets

Government Entities, Non-Governmental Organizations (NGOs), Religious Organizations, Think Tanks, Academic Institutions, Private Sector, Political Entities in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.

Attack Vectors

Mustang Panda employs a variety of attack vectors to compromise their targets, focusing primarily on spear-phishing emails that deliver malicious attachments or links.

How they operate

The modus operandi of Mustang Panda involves a multi-stage process designed to infiltrate and persist within targeted networks. Initially, the group acquires infrastructure such as domain names to establish their operational base. They employ sophisticated social engineering tactics, often using spearphishing emails with malicious attachments or links tailored to specific victims. These emails are crafted to exploit vulnerabilities in commonly used software, facilitating initial access to the victim’s systems.

Once inside a network, Mustang Panda employs a range of techniques to maintain persistence and expand their access. They utilize tools like PowerShell and Windows Command Shell to execute malicious scripts and commands, enabling them to escalate privileges and move laterally across the network. The group is adept at hiding their activities by creating registry entries for autostart mechanisms, disguising malware with legitimate file names, and deleting traces of their presence to evade detection.

Data exfiltration is a critical phase in Mustang Panda’s operations, where they collect sensitive information such as documents, credentials, and intellectual property. They use encrypted channels to communicate with their command-and-control (C2) servers, making it difficult for security teams to monitor and intercept their communications. Techniques like exfiltration over physical mediums such as USB drives further complicate detection efforts, especially in environments with stringent network security controls.

To further their objectives, Mustang Panda has been observed using a variety of malware tools including PlugX and PoisonIvy, known for their capabilities in remote access and data theft. These tools enable the group to maintain persistent access, capture keystrokes, and conduct network reconnaissance. Their operations also involve exploiting vulnerabilities in commonly used software like Microsoft Office, using techniques such as spearphishing attachments to deliver payloads that can compromise systems upon interaction.

MITRE ATT&CK Techniques

T1583.001 – Acquire Infrastructure: Domains
T1071.001 – Application Layer Protocol: Web Protocols
T1560.001 – Archive Collected Data: Archive via Utility
T1560.003 – Archive Collected Data: Archive via Custom Method
T1119 – Automated Collection
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1059.001 – Command and Scripting Interpreter: PowerShell
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
T1059.005 – Command and Scripting Interpreter: Visual Basic
T1074.001 – Data Staged: Local Data Staging
T1573.001 – Encrypted Channel: Symmetric Cryptography
T1585.002 – Establish Accounts: Email Accounts
T1546.003 – Event Triggered Execution: Windows Management Instrumentation Event Subscription
T1052.001 – Exfiltration Over Physical Medium: Exfiltration over USB
T1203 – Exploitation for Client Execution
T1083 – File and Directory Discovery
T1564.001 – Hide Artifacts: Hidden Files and Directories
T1574.002 – Hijack Execution Flow: DLL Side-Loading
T1070.004 – Indicator Removal: File Deletion
T1105 – Ingress Tool Transfer
T1036.005 – Masquerading: Match Legitimate Name or Location
T1027.001 – Obfuscated Files or Information: Binary Padding
T1003.003 – OS Credential Dumping: NTDS
T1566.001 – Phishing: Spearphishing Attachment
T1598.003 – Phishing for Information: Spearphishing Link
T1057 – Process Discovery
T1219 – Remote Access Software
T1091 – Replication Through Removable Media
T1053.005 – Scheduled Task/Job: Scheduled Task
T1518 – Software Discovery
T1608.001 – Stage Capabilities: Upload Malware
T1218.004 – System Binary Proxy Execution: InstallUtil
T1218.005 – System Binary Proxy Execution: Mshta
T1082 – System Information Discovery
T1016 – System Network Configuration Discovery
T1049 – System Network Connections Discovery
T1204.001 – User Execution: Malicious Link
T1204.002 – User Execution: Malicious File
T1102 – Web Service
T1047 – Windows Management Instrumentation

Significant Attacks and Campaigns

  • CSIRT-CTI has identified two campaigns exhibiting strong indications of being connected to Stately Taurus (alias Bronze President, Camaro Dragon, Earth Preta, Mustang Panda, Red Delta and Luminous Moth), both assessed to have targeted the Myanmar Ministry of Defence and Foreign Affairs. (January 2024)
  • An advanced persistent threat (APT) group suspected with moderate-high confidence to be Stately Taurus engaged in a number of cyberespionage intrusions targeting a government in Southeast Asia. This group is also known by several aliases, including Mustang Panda, BRONZE PRESIDENT, TA416, RedDelta and Earth Preta. (September 2023)

References

  • What Is Mustang Panda Malware?
  • Mustang Panda
  • MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT
  • Panda Goes Full Global
  • Earth Preta Spear-Phishing Governments Worldwide
  • Chinese APT Bronze President Mounts Spy Campaign on Russian Military
  • Mustang Panda APT Targets Europe with Plugx Malware
  • Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims
  • Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA

 

Tags: APTChinaEuropeGovernmentMustang PandaMyanmarPakistanPhishingPowerShellThreat ActorsUnited StatesVietnam
ADVERTISEMENT

Related Posts

TargetCompany (Mallox, FARGO) – Threat Actor

TargetCompany (Mallox, FARGO) – Threat Actor

August 6, 2024
Lockbit (ABCD) – Threat Actor

Lockbit (ABCD) – Threat Actor

August 6, 2024
RansomHub (Ransomware Group) – Threat Actor

RansomHub (Ransomware Group) – Threat Actor

August 6, 2024
Nusa Cloud – Threat Actor

Nusa Cloud – Threat Actor

August 6, 2024
Scattered Spider – Threat Actor

Scattered Spider – Threat Actor

August 6, 2024
Cuba (Tropical Scorpius) – Threat Actor

Cuba (Tropical Scorpius) – Threat Actor

June 26, 2024

Latest Alerts

Agile PLM Vulnerability Actively Exploited

Jupyter Servers Used for Illegal Streaming

Ngioweb Botnet Powers NSOCKS Proxy Network

Decades-Old Ubuntu Vulnerabilities Found

XenoRAT Uses Excel Files to Evade Detection

Fake Bitwarden Ads Push Malicious Extensions

Subscribe to our newsletter

    Latest Incidents

    Aspen Healthcare Hit With Data Breach

    Finastra Investigates Major Data Breach

    Slot Machine Operator IGT Hit by Hacker

    PracticeSuite Data Breach Affects Texan ENT

    Attack Exposes Data of 500K Auchan Shoppers

    iLearningEngines Hack Leads to $250K Loss

    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2024 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2023 CyberMaterial