Security researchers have uncovered new activities attributed to Mustang Panda, a China-sponsored espionage group. Known for targeting government entities and military organizations across East Asia and Europe, the group has been using weaponized RAR archives. These archives contain malicious DLLs, which are deployed through DLL sideloading alongside legitimate signed executables. This technique allows Mustang Panda to bypass security controls by leveraging the trust of digitally signed binaries.
The attack begins when victims extract and execute software from RAR archives. The archives typically contain a legitimate executable file and a malicious DLL. The DLL sideloading method makes it difficult to detect since it relies on the system’s default behavior of loading DLLs. As the legitimate software runs, the malicious DLL is executed without triggering suspicion, enabling the attacker to compromise the system.
Mustang Panda’s recent campaigns have focused on government-related entities, particularly in Myanmar.
Researchers have found multiple variants of ToneShell malware in these attacks, each with subtle modifications to evade detection. Zscaler ThreatLabz identified three distinct variants, each using a different legitimate executable for DLL sideloading. These variants were found in various archives, such as “cf.rar,” “ru.zip,” and “zz.rar,” each containing different executables and malicious DLLs.
The DLL sideloading technique relies on exploiting Windows’ DLL search order, loading a malicious DLL in place of a legitimate one.
This method appears to run legitimate software while executing malicious code in the background. The malicious DLLs also utilize custom network protocols with FakeTLS headers to conceal malicious traffic. The latest variants use TLSv1.3 to further evade detection, and encrypted communication with command and control servers uses rolling XOR keys generated with custom methods.
