TechBizWebTechBizWeb

    Subscribe to Updates

    Get the latest news about Technology and Business from all around the web..

    What's Hot

    Still Top Gun? What Tom Cruise’s new movie tells us about American power

    May 29, 2022

    The jubilee curse: a week of boorish republicanism

    May 29, 2022

    Marble Hill: coming to terms with the troubled history of a Palladian mansion

    May 28, 2022
    Facebook Twitter Instagram
    • About Us
    • Privacy Policy
    • Guest Post
    • Terms
    • Contact
    Facebook Twitter Instagram
    TechBizWebTechBizWeb
    Subscribe
    • Home
    • Technology

      Star Wars: Knights of the Old Republic II is coming to Switch

      May 28, 2022

      Twitter Circle is starting to roll out to more users

      May 28, 2022

      The new Ayn Loki handheld runs Windows and starts at $299

      May 28, 2022

      Save $70 on the M1-powered iPad Air with 256GB storage

      May 28, 2022

      Comcast received a patent for this smart speaker design, but will it ever be released?

      May 28, 2022
    • Business
    • Cyber Security

      How the manufacturing sector can protect against cyberattacks

      May 27, 2022

      Data shows regulatory password compliance falls short

      May 27, 2022

      What good is visibility without enforcement?

      May 27, 2022

      Former CIA CISO Michael Mestrovich named CISO at Rubrik

      May 26, 2022

      10 tips to develop cybersecurity knowledge within organizations

      May 26, 2022
    • Blockchain
    • Vulnerabilities
    • Social Engineering
    • Malware
    • Cyber Security Alerts
    TechBizWebTechBizWeb
    Home»Social Engineering»Chinese APT group Mustang Panda targets European and Russian organizations
    Social Engineering

    Chinese APT group Mustang Panda targets European and Russian organizations

    May 5, 2022Updated:May 5, 2022No Comments5 Mins Read
    Facebook Twitter Pinterest LinkedIn Tumblr WhatsApp
    Share
    Facebook Twitter LinkedIn Pinterest Email

    A cyberespionage group whose targeting has historically been aligned with China’s geopolitical interests has been targeting European and Russian entities using topical spear-phishing lures connected to the war in Ukraine.

    The group, tracked as Mustang Panda, RedDelta, Bronze President or TA416 by different cybersecurity firms, has been active since at least 2012 and over the years has targeted organizations in EU member states, the United States and Asian countries where China has interests. The targets have included diplomatic entities, think tanks, non-governmental organizations (NGOs), religious organizations, telecommunication companies, and political activists.

    The group is known for crafting its phishing lures based on current events that might be of interest to its targets. These have included the COVID-19 pandemic, international summits, and political topics. Recent attack campaigns observed this year by researchers from Cisco Talos and several other security firms used reports from EU institutions about the security situation in Europe both before and after Russia’s invasion of Ukraine.

    According to a new report from Cisco Talos, in January the group used a lure document with conclusions from the Council of the European Union on the European security situation. After Russia invaded Ukraine at the end of February, the group switched lures to European Commission reports on the security situation at the border with Ukraine and later Belarus.

    The researchers also spotted Mustang Panda distributing a malicious file with a Russian name referencing the Blagoveshchensk Border Guard Detachment. Blagoveshchensk is a city close to Russia’s border with China and is home to Russia’s 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This lure suggests the group was potentially targeting Russian-speaking officials or organizations with knowledge of the country’s military.

    How Mustang Panda operates

    Mustang Panda’s most used malicious implant is a Trojan program called PlugX and this continues to remain the group’s preferred spying tool. However, the ways in which it has been delivered and loaded on systems have evolved over time.

    The attacks observed this year have primarily used a malicious downloader wrapped inside an archive. When unpacked and executed on a system, this downloader drops several components.

    First, it opens the legitimate document expected by the target as a decoy. In the background it launches a benign executable whose only goal is to deploy a malicious DLL using DLL sideloading. DLL sideloading, also known as DLL search order hijacking, is a technique that relies on attackers planting a DLL file in a location and with a specific name that’s expected by a legitimate application or service with the purpose of the application loading it in memory instead of spawning a new unknown process that could trigger detection from security products.

    The DLL is a loader itself and its goal is to further decrypt and load the final payload — usually a variant of PlugX, which is a modular Trojan that can load different plug-ins to extend its functionality. In March, researchers from security firm ESET reported attacks by Mustang Panda using a previously undocumented version of PlugX, also known as Korplug.

    However, the Cisco Talos researchers warn that the group doesn’t always deploy PlugX and instead has been seen using other malware stagers, implants such as Meterpreter from the open-source penetration testing framework Metasploit, and even simple reverse shells.

    In late February, Mustang Panda used a Ukrainian-themed executable with a name written in Ukrainian that roughly translates to “official statement from the National Security and Defense Council of Ukraine,” the researchers said. “This infection chain consisted of activating a simple, yet new, TCP-based reverse shell using cmd.exe.”

    Meterpreter has been used by the group as an access mechanism to deploy additional payloads from command-and-control servers between 2019 and late 2021. Starting this year, the group seems to have shifted to using custom stagers in the form of DLLs in some of its campaigns. This was seen in February in an attack against targets in Southeast Asia through a campaign that used a malicious archive file pertaining to the ASEAN Summit as bait.

    Another technique Mustang Panda used until March 2021 in its attack campaigns in Asia involved LNK (Windows shortcut) files instead of executables. The rogue LNK files contained all the components of the infection chain inside themselves. First, they extracted and executed a malicious BAT script which then extracted a JavaScript payload and executed it via Windows’ wscript.exe. The JS payload then extracted a malicious DLL-based stager that established a connection to a command-and-control server.

    While the most-recent attacks used malicious executables stored inside archives as the first stage, Mustang Panda also used malicious Word documents (maldocs) in the past that relied on macros to execute a DLL payload and start the infection chain. Those past attacks primarily targeted organizations in Asia.

    Mustang Panda is a versatile threat actor

    All these techniques are worth mentioning because they showcase the versatility of the group and its ability to customize its delivery mechanisms and implants based on what might be most successful against its intended targets. The group could switch between these different components, shells, stagers and Trojans at any time.

    “Over the years, Mustang Panda has evolved their tactics and implants to target a wide range of entities spanning multiple governments in three continents, including the European Union, the U.S., Asia, and pseudo allies such as Russia,” the Cisco Talos researchers said. “By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much long-term access as possible to conduct espionage and information theft.”

    Copyright © 2022 IDG Communications, Inc.

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email

    Related Posts

    PIXM releases new computer vision solution for mobile phishing

    May 25, 2022 Social Engineering

    New RAT malware uses sophisticated evasion techniques, leverages COVID-19 messaging

    May 11, 2022 Social Engineering

    Musk’s Twitterverse and the future of misinformation

    May 6, 2022 Social Engineering

    10 top anti-phishing tools and services

    April 28, 2022 Social Engineering

    What is phishing? Examples, types, and techniques

    April 12, 2022 Social Engineering

    Meta, Apple emergency data request scam holds lessons for CISOs

    April 11, 2022 Social Engineering
    Editors Picks

    The jubilee curse: a week of boorish republicanism

    May 29, 2022

    Marble Hill: coming to terms with the troubled history of a Palladian mansion

    May 28, 2022

    Star Wars: Knights of the Old Republic II is coming to Switch

    May 28, 2022

    G7 urges Opec to boost output to cool oil market

    May 28, 2022
    Trending Now

    How Kurdish group became security flashpoint for Erdoğan and the west

    By techbizweb

    Save $70 on the M1-powered iPad Air with 256GB storage

    By techbizweb

    EY break-up plan may trigger radical reshaping of the Big Four

    By techbizweb

    https://www.nationalsportsacademy.com

    slot gacor hari ini

    http://www.inadesfo.org/

    http://www.eueomgbissau.org/

    http://www.congo-mai-mai.net/

    http://www.angelesdelafrontera.org/

    http://fifaworldcup2018schedule.com/

    http://tony4gtrmcr.co.uk/

    http://www.standrewsagreement.org/

    http://www.bob-russell.co.uk/

    http://davidmulholland.co.uk/

    http://railwayhotelenniskillen.com/

    http://www.fantasysportstrades.com/

    http://www.rainleaf-flooring.com

    http://mothersagainstguns.org/

    http://ma-coc.org/

    slot online

    http://www.paradoxmag.com/situs-judi-slot-online-gampang-menang-2021/

    http://www.paradoxmag.com/situs-judi-slot-online-terbaru-2021/

    http://slot-terbaru.net/

    Slot Gacor

    Slot Online

    Situs Slot Gacor

    http://www.appdexterity.com/

    https://cars4kids-deutschland.de/

    https://www.stretchingculture.com/

    https://www.b-123-hp.com/slot-gacor/

    https://denzstaffing.nl/

    https://ezbbqcooking.com/slot-gacor/

    https://www.mbahelp24.com/slot-gacor

    https://minhtanstore.com/slot-jackpot-terbesar/

    https://njbpusupplierdiversity.com/slot-gacor-gampang-menang/

    https://www.floridaspecialtycropfoundation.org/slot-gampang-menang/

    https://childrenscornerpreschool.org/slot-gacor-gampang-menang/

    https://cryptoquoter.com/slot-online-terbaik/

    https://alorkantho24.com/slot-gacor/

    https://ellas.xyz/slot-gacor/

    https://it.dougamatome.xyz/slot-online/

    https://www.daltercume.com/slot-gacor/

    https://josi-ana.dougamatome.xyz/slot88/

    https://josi-ana.dougamatome.xyz/slot-gacor/

    https://fastobserver.com/slot-jackpot-terbesar/

    https://www.planetexperts.com/slot-gacor/

    https://bfsolution.group/slot-bet-kecil/

    https://rustleva.co/slot/

    https://bfsolution.group/slot-bet-kecil/

    https://www.hotelcalimareal.com/togel-online/

    https://anime-game.dougamatome.xyz/slot-gacor-gampang-menang/

    https://anime-game.dougamatome.xyz/togel-online/

    https://bourbonbarrelfoods.com/slot/

    http://suneo39.wp.xdomain.jp/slot/

    https://techbizweb.com/slot-gacor/

    https://www.generalcatalyst.com/18-daftar-slot-gacor-terbaik-gampang-menang-jackpot-hari-ini/

    https://www.hotelcalimareal.com/slot-online/

    https://www.blockgates.io/slot-gacor/

    https://l12.com.br/slot-gacor/

    slot paling gacor

    https://www.donalds-hobby.com/slot-online/

    https://thecryptodirt.com/slot-gacor-hari-ini/

    http://iseta.edu.ar/aulavirtual/app/upload/users/1/1205/my_files/sbobet.html

    http://escuelavirtual.mincit.gov.co/app/upload/users/1/194/my_files/slot.html

    https://www.dev.medecinesfax.org/courses/JUDICASINO/document/slot.html

    http://www.e-archivos.org/cursos/courses/JUDICASINO/document/slot-gacor.html

    http://iesma.com.br/ead/main/upload/users/4/447/my_files/slot.html

    https://www.fundacoop.org/chamilo/app/upload/users/1/1185/my_files/slot.html

    https://fata-aatf.org/eskola/main/upload/users/3/31/my_files/slot.html

    https://uancv.edu.pe/ofinvestigacion/app/upload/users/3/328/my_files/slot-terlengkap.html

    https://micost.edu.my/EL/app/upload/users/2/209/my_files/slot-gacor.html

    https://www.academiacoderdojo.ro/elearningdev/app/upload/users/2/2442/my_files/slot-online.html

    http://campus-cidci.ulg.ac.be/courses/JUDICASINO/document/slot-termurah.html

    https://www.escueladerobotica.misiones.gob.ar/aula-ste/courses/LIVECASINO/document/slot-tergacor.html

    http://ccdipeepccqqfar.usac.edu.gt/chamilo/app/upload/users/3/358/my_files/slot-online.html

    https://cunori.edu.gt/campus/app/upload/users/7/7334/my_files/slot-online.html

    http://u-rus.com.ar/aula/app/upload/users/1/1322/my_files/slot.html

    http://icrodarisoveria.edu.it/chamilo/app/upload/users/1/1855/my_files/slot.html

    https://iestpliliagutierrez.edu.pe/clarolgm/courses/CASINO/document/slot.html

    http://pva.cobach.edu.mx/app/upload/users/7/7379/my_files/slot.html

    http://www.imb-pc-online.edu.gt/PL/app/upload/users/3/373/my_files/slot.html

    http://avcs.upeu.edu.pe/main/upload/users/3333/my_files/slot.html

    https://chamilo.fca.uas.edu.mx/app/upload/users/1/11186/my_files/slot-online/

    TechBizWeb
    Facebook Twitter Instagram Pinterest Vimeo YouTube
    • Home
    • Guest Post
    • About Us
    • Privacy Policy
    • Our Authors
    • Terms and Conditions
    • Contact
    © 2022 Tech Biz Web. Developed by Sawah Dev.

    Type above and press Enter to search. Press Esc to cancel.