- In February 2022, corresponding roughly with the start of the Russian Invasion of Ukraine, Cisco Talos began observing the China-based threat actor Mustang Panda conducting phishing campaigns against European entities, including Russian organizations. Some phishing messages contain malicious lures masquerading as official European Union reports on the conflict in Ukraine and its effects on NATO countries. Other phishing emails deliver fake "official" Ukrainian government reports, both of which download malware onto compromised machines.
- Mustang Panda has been known to use themed lures relating to various current-day events and issues, including the COVID-19 pandemic, international summits and various political topics.
- While the Ukraine-related Mustang Panda developments have been reported by at least one other security firm, we identified additional samples that have not been cited in open-source reporting.
- Apart from targeting European countries, Mustang Panda has also targeted organizations in the U.S. and Asia.
- In these campaigns, we've observed the deployment of Mustang Panda's PlugX implant, custom stagers and reverse shells and meterpreter-based shellcode, all used to establish long-term persistence on infected endpoints with the intention of conducting espionage.
Threat actor profile
MustangPanda, also known as "RedDelta" or "Bronze President," is a China-based threat actor that has targeted entities all over the world since at least 2012, including American and European entities such as government organizations, think tanks, NGOs, and even Catholic organizations at the Vatican.
We've also observed extensive targeting of Asian countries as well, such as the Taiwanese government, activists in Hong Kong, NGOs in Mongolia and Tibet, Myanmar and even Afghan and Indian telecommunication firms.
The threat actor heavily relies on sending lures via phishing emails to achieve initial infection. These lures often masquerade as legitimate documents of national and organizational interest to the targets. These infection vectors deploy malware predominantly consisting of the PlugX remote access trojan (RAT) with custom stagers, reverse shells, meterpreter and Cobalt Strike, which act as another mechanism for achieving long term access into their targets. One thing remains consistent across all these campaigns — Mustang Panda is clearly looking to conduct espionage campaigns.
Threat actor TTPs
Mustang Panda's recent activity targets European entities, including Russian targets, and uses political themes to deliver the PlugX family of malware implants.
Typical infection chains employed by Mustang Panda consist of three key components:
- Benign executable: Used to side-load a malicious DLL.
- Malicious DLL (loader): The malicious DLL accompanying the executable is usually a loader for the PlugX implant, typically an encrypted or encoded blob of data deployed by the loader DLL.
- PlugX implant: A RAT implant used extensively by Mustang Panda. It consists of a malicious DLL that can perform a variety of actions on the infected endpoint including downloading and deploying new modules/plugins.
- Stagers and reverse shells: Instead of using PlugX, the attackers will sometimes use DLLs acting as custom developed stagers, meterpreter-based shellcode downloaders and even custom reverse shells.
Infection chains utilized by the APT group typically consist of:
- Executable downloaders: These downloaders are delivered packaged in an archive. The downloaders are responsible for fetching and instrumenting various infection artifacts, resulting in the deployment of the PlugX implant on the infected endpoint.
- Archive based infections: Malicious archives delivered to targets typically consist of a benign executable with names meant to trick victims into executing them. The executable will load a malicious DLL which can either be the loader for the PlugX implant or a reverse shell or meterpreter-based shellcode downloader.
- Shortcut files: Shortcuts (LNK files) delivered to victims consist of all the infection components embedded in the LNK files. These consist of intermediate components like BAT files that are meant to load the malicious DLLs which may be PlugX loaders or stagers.
- Maldocs: We've also observed limited use of maldocs to target entities in Asia with the stagers and meterpreter payloads to execute the next stage of shellcode payloads.
Targets across the world
European political lures
This attacker started attacks earlier this year where a vast majority of the lures and decoys consisted of themes related to the European Union (EU). For example, in early January 2022, we saw the attackers employ a lure that consisted of a European Commision report on state aid to Greece between 2022 and 2027. Toward the end of January, the attackers started using a press release from the EU regarding the union's human rights priorities in 2022.
The attackers also started taking advantage of publications and documents related to the degrading relations between Ukraine and Russia. In late January, the group started spreading a lure containing PlugX that disguised itself as a report from the EU's general secretary.
When Russia invaded Ukraine on Feb. 24, 2022, the attackers started using related documents to infect their targets. A lure from Feb. 28 was disguised as a report on the situation along European borders with Ukraine, while another one in March consisted of a report on the situation along the European borders with Belarus.
While the threat actors continued the use of regional and topical events in Eastern Europe, they also used other topics of interest to infect their victims. In March, we observed the use of a lure targeting Russian agencies, a malicious executable delivering the PlugX implant, named "Благовещенск - Благовещенский Пограничный Отряд.exe" roughly translating to "Blagoveshchensk - Blagoveshchensk Border Guard Detachment.exe," a report on the border detachment to Blagoveshchensk, a town of strategic importance to Russia, located on the Sino-Russian border.
American-themed political lures
Since at least May 2016, Mustang Panda has operated campaigns targeting multiple entities in the United States. Additionally, the APT has frequently used overlapping topics of interest to multiple entities across the globe. Some of their lures such as "U.S. Asst Secretary of State Visit to ASEAN Countries.rar" from December 2021 and "Biden's attitude towards the situation in Myanmar.zip" from February 2021 reaffirm this trend of targeting two birds with one stone. In all these instances, we observed the use of stagers as the final payloads in the infection chains instead of a direct deployment of PlugX.
Mustang Panda has been extremely prolific in targeting various government entities in Asian countries over the past few years such as those in Myanmar, Hong Kong, Japan and Taiwan.
The threat actor has aggressively targeted the government of Myanmar since 2019, even breaching their websites on multiple occasions to host malware payloads. This targeting continued into 2021 with lures related to the National Unity Government of Myanmar and its People's Defence Force. All these attacks resulted in the deployment of an implant executing meterpreter HTTP shellcode.
Mustang Panda has frequently used the ASEAN summit as a topic for their lures to infect individuals participating in this summit. Using such topics enables the APT to infect a wide range of targets (the ASEAN association consists of 10 member countries in Southeast Asia). This tactic is in line with Mustang Panda's practice of using an overlapping topic of interest to target multiple entities with the same lures.
Japanese government officials have also been targeted recently using lures masquerading as minutes of the Japanese cabinet's meetings in 2021. Lures such as "210615_Cabinet_Meeting_Minutes.exe" and "210831_21st Cabinet Meeting Minutes.rar" have been actively used to infect victims with custom stagers.
Latest infection vectors
Beginning in 2022, we observed Mustang Panda distributing malicious executables acting as downloaders, and disguised as fake reports on various Europe-related subjects as initial infection vectors against targets in Europe. These executables were usually distributed wrapped up in an archive file to the targets. Recently, ESET disclosed a similar infection delivering a previously unknown PlugX variant.
As recently as March 2022, we discovered a downloader pretending to be a report on the current situation along European borders with Belarus. In another instance, we observed an executable named "Благовещенск - Благовещенский Пограничный Отряд.exe" roughly translating to "Blagoveshchensk - Blagoveshchensk Border Guard Detachment.exe", a report on the border detachment to Blagoveshchensk, a town located on the Sino-Russian border.
The downloader loads all the artifacts in the infection chain. All the artifacts are data files that need to be decoded by the various infection components before being activated on the infected endpoint. There are four components downloaded as part of the infection chain:
- The first component is a decoy PDF masquerading as an official European Union report on the conflict in Ukraine and its effects on NATO countries. This document is not malicious and only serves to project authenticity and distract the victim.
- A benign executable that loads the third component — a malicious DLL-based loader — via the DLL sideloading technique. DLL sideloading involves tricking a benign process into loading a malicious DLL that disguises itself as legitimate.
- The DLL loader responsible for decoding, loading and activating the final malicious implant, is also a DLL. First, it reads a data file downloaded by the downloader binary from a hardcoded location on disk and decodes the data file into a DLL. Then, the loader reflectively loads the final DLL-based implant into the memory of the current process and runs it.
- A RAT called PlugX, Mustang Panda's malware of choice.
The benign executable is executed on the endpoint using a command such as:
cmd.exe /c ping.exe 220.127.116.11 -n 70&&"%temp%\FontEDL.exe"
The executable is simply meant to load the DLL and call one of its exported APIs to activate its malicious functionality.
Malicious DLL — PlugX loader
The malicious DLL is the actual loader for the PlugX implant downloaded by the initial downloader as a DAT file. This DLL is loaded into by the benign process and carries out the following actions:
- Read a data file downloaded earlier by the downloader binary from a hardcoded location.
- Decode the data file into a DLL.
- Reflectively load the new DLL into the current process' memory and run it.
The new DLL is the actual PlugX implant.
PlugX loader decodes and jumps to execute the actual implant DLL in memory.
The infection chain is as follows:
Toward the end of March 2022, however, the attackers made another update to their tactics. This time, the downloader executable would use only two remote URLs to obtain all the components of the infection chain. While one URL would host the decoy document, the other URL hosts the benign exe, the implant loader DLL and the encrypted PlugX implant. Once the payloads are downloaded and decrypted, they are activated using the same technique illustrated earlier — the EXE loads a DLL-based loader that decrypts the final PlugX payload and deploys it. The themes used in these lures pertained to Europe with malicious downloaders named "Invitation letter_ECGFF_Frontex_WS_final_countersigned.exe" and "Latest analyses of Russia's war on Ukraine.exe."
While Mustang Panda recently began using downloader executables, the group continues to deliver their malware via archive files consisting of a benign executable that loads and activates the accompanying malware payload DLL, which they have done since at least 2019.
Throughout 2021, we observed the use of malicious archives containing an executable (loader), a DLL-based loader and an encrypted blob of data (DAT file) being delivered to targets. It's responsible for decrypting the DAT file containing the PlugX implant.
The executable is typically executed via:
- Social engineering: Disguising the initial executable as a legitimate document to trick the target into opening it, thereby starting the infection chain.
- Shortcut file: A shortcut file that executes an intermediate component, such as a BAT file that runs the executable.
BAT file instrumenting the executable.
Mustang Panda infections in late January 2022 resulted in the deployment of bespoke stagers that downloaded additional shellcode from a remote location that would, in turn, be deployed on the infected endpoint.
The sager typically arrives in the form of an archive on the target's endpoint. The archive contains an executable that needs to be executed by the victims. Once executed, it loads the accompanying DLL, which is the key malicious component. The DLL is responsible for decoding an embedded blob of shellcode, which, when executed, acts as a stager that can download and execute additional shellcode from a C2 IP address.
This infection tactic has been heavily used by Mustang Panda in Asia. For example, in February 2022, in a campaign targeting users from Southeast Asian countries, the group used an archive-file-based lure masquerading as documents pertaining to the ASEAN Summit.
The archive consists of an executable named "ASEAN Leaders'Meeting.exe" that loads the accompanying DLL-based implant. The executable is a legitimate copy of a component belonging to the KuGou Active Desktop application. It imports two exported APIs form the malicious PlugX DLL to activate the implant.
The stager begins by creating persistence for itself across reboots via the registry Run key using the command and living-off-the-land binaries and scripts (LoLBAS):
c:\windows\system32\cmd.exe /C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Amdesk /t REG_SZ /d "Rundll32.exe SHELL32.DLL,ShellExec_RunDLL "C:\Users\Public\Libraries\active_desktop\desktop_launcher.exe"" /f
Stager setting up persistence for itself.
Additionally, it will also set up persistence for itself to run every minute on the infected endpoint by creating a Scheduled Task on the system using the command:
C:\windows\system32\schtasks.exe /F /Create /TN Microsoft_Desktop /sc minute /MO 1 /TR C:\Users\Public\Libraries\active_desktop\desktop_launcher.exe
The implant will then decode and activate the next shellcode via a new thread.
The shellcode decodes DLL and API names and resolves them for later use. The DLL names are hashed using the ror13AddHash32 algorithm:
The implant will then collect the following information from the endpoint and send it to the C2:
- Volume serial number, which it obfuscates by adding 0x12345678. The final result is sent to C2.
- Retrieves the computer name and username and length.
- Retrieves the uptime of the host.
The collected host info is RC4 encrypted before sending it over to the C2. The RC4 key used is (hex):
78 5a 12 4d 75 14 14 11 6c 02 71 15 5a 73 05 08 70 14 65 3b 64 42 22 23 20 00 00 00 00 00 00 00
0x0A + <Encoded Volume serial number > + <uptime> + <hostname> + <username>
The shellcode then attempts to connect to the C2 IP address to retrieve additional shellcode that can then be executed on the infected endpoint.
Another type of stager employed by Mustang Panda, first seen in 2019 and still active as of December 2021, binds itself locally to the infected endpoint and listens for any incoming requests. It only accepts incoming requests from a hardcoded C2 address and executes any shellcode received from the C2.
Another type of stager used by Mustang Panda, some as recently as late 2021, are DLL-based implants that decode and execute Meterpreter reverse-HTTP payloads to download and execute even more payloads from the C2. We observed this actor using Meterpreter dating back to 2019, when it was deployed via malicious archives hosted on the Myanmar government's website. Meterpreter's use as an intermediate access mechanism continued at least into June 2021, with a brief lull, followed by the adoption of bespoke stagers in 2022.
In late February 2022, the threat actors used another previously undisclosed Ukrainian-themed lure named
"Офіційна заява Апарату РНБО України\Про введення в дію плану оборони України та Зведеного плану територіальної оброни України.exe", which roughly translates to "official statement from the National Security and Defense Council of Ukraine."
This infection chain consisted of activating a simple, yet new, TCP-based reverse shell using cmd.exe as opposed to directly deploying the PlugX implant, stagers and Meterpreter seen in parallel infection chains from Mustang Panda.
The reverse shell DLL will copy itself and the executable responsible for loading it into a folder on a target machine's disk, such as:
The implant is also responsible for setting up persistence on the system to ensure the reverse shell runs once a minute via a scheduled task:
C:\windows\system32\schtasks.exe /F /Create /TN Microsoft_Silverlight /sc minute /MO 1 /TR C:\Users\Public\Libraries\iloveukraine\Microsoft_Silverlight.exe
Reverse shell infection chain:
Shortcut files (LNK)
The use of shortcut files (LNK) has been a popular technique with Mustang Panda since at least 2019 against entities in Asian countries. While the frequency of use of this tactic has reduced over the past couple of years it is still seen being sporadically utilized by the threat actors. As late as March 2021, a shortcut file targeting users in Myanmar deployed Mustang Panda's Stager against their targets.
This shortcut file consists of a command to extract content from itself and execute as a BAT file:
/c for %x in (%temp%=%cd%) do for /f "delims==" %i in ('dir "%x\2021-03-11.lnk" /s /b') do (more +540 /S %i |find "PGL">%public%\gtgc.bat& %public%\gtgc.bat)
The JS code will extract an executable and a DLL-based stager to disk, followed by the execution of the executable, thus establishing persistence on the system and establishing communications with the C2.
JS extracting the DLL-based Stager and activating it via the EXE-based loader.
LNK-based infection chain:
In some instances, we also observed the use of maldocs targeting Asian countries such as Taiwan to deploy stagers that could execute meterpreter shellcode to communicate with the C2 server and execute the next payloads on the infected system. The malicious macros contain two more components that are dropped to disk on the infected system. One component is a benign executable that is run by the macro to load the second component, a malicious DLL, which establishes persistence for the EXE and DLL via the registry Run key.
/C reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Acerodp /t REG_SZ /d "Rundll32.exe SHELL32.DLL,ShellExec_RunDLL "C:\Users\Public\Libraries\win\Acrobat.exe"" /f
Then, the DLL executes the shellcode embedded in it — a meterpreter reverse HTTP shell to download and execute the next payload.
Executables embedded in the malicious macro.
In one instance, the maldoc was named "海污法修正草案.ppt". This roughly translates to "Draft Amendment to Marine Pollution Law" consisting of a politically themed lure targeting Taiwanese government entities.
Over the years, Mustang Panda has evolved their tactics and implants to target a wide range of entities spanning multiple governments in three continents, including the European Union, the U.S., Asia and pseudo allies such as Russia. By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much long-term access as possible to conduct espionage and information theft.
Apart from Mustang Panda's tool of choice, PlugX, we've observed a steady increase in the use of intermediate payloads such as a variety of stagers and reverse shells. The group has also continuously evolved its delivery mechanisms consisting of maldocs, shortcut files, malicious archives and more recently seen downloaders starting with 2022. Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves.
In-depth defense strategies based on a risk analysis approach can deliver the best results in protecting against such a highly motivated set of threat actors. However, this should always be complemented by a good incident response plan which has not only been tested with tabletop exercises, but also reviewed and improved every time it is put to the test on real engagements.
Ways our customers can detect and block this threat are listed below.
Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.
Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.