BlackBerry finds China-linked Mustang Panda group using Russian-Ukrainian war to target Europe, Asia Pacific targets

New research from the BlackBerry Threat Research and Intelligence team revealed a RAR file titled ‘Political Guidance for the new EU approach towards Russia.rar,’ as part of the team’s ongoing hunting and continuous monitoring efforts regarding the advanced persistent threat (APT) group Mustang Panda. An examination of the file revealed a decoy document matching the naming convention of the RAR, along with additional components that are often seen as part of a typical PlugX infection chain.

“This file captured our interest due to the ongoing geopolitical situation in Eastern Europe,” BlackBerry researchers wrote in a Tuesday blog post. “By delving into the associated network infrastructure and pivoting off related network artifacts, additional files and infrastructure were uncovered. These conformed to similar Tactics, Techniques, and Procedures (TTPs) and appeared to be part of a larger campaign from this same threat actor targeting multiple entities, both Government and Private, in several industries and throughout many countries across the world. In this report, we document what we found,” they added.

Mustang Panda (aka HoneyMyte, Bronze President, or Red Delta) is a prolific APT group that has been publicly attributed as being based in China. The group has been known to target non-governmental organizations using Mongolian-themed lures for espionage purposes. It has a history of targeting many different entities across the globe, but its target aligns with the interests of the Chinese government. From the associated lures, NetFlow data, and other characteristics, the EU and APAC have been their biggest targets as of late.

Mustang Panda’s previous targets have included government and non-government organizations (NGOs) in many locations around the world, from various states in Southeast Asia to the European Union (EU), to the U.S. and beyond. Considering the decoy lures found, and the correlating network telemetry, “we found the threat actor to be targeting areas in Europe as well as Asia-Pacific, specifically Vietnam. This is not an exhaustive list as we have been unable to identify the industries of all the victims thus far,” the blog added.

BlackBerry further disclosed that a RAR file is an archive that contains one or more files compressed with RAR compression. “As seen in recent campaigns, the use of archives is a common infection vector for Mustang Panda. The political theme of the RAR file is a tactic employed by the threat actor to coerce targets into opening the file. Once the archive is open, the victim will see a directory called ‘_’ and a shortcut file named with the same politically themed lure,” it added.

The [dot]LNK file uses a double file extension in an attempt to disguise the shortcut file as a document in the hope the target would open it, in the process executing the shortcut file, according to the researchers. This utilization of double extensions has been used by Mustang Panda in the past as a way to convince users to execute the shortcut file.

The LNK file looks to execute ‘test11[dot]bpu,’ which is a legitimate portable executable (PE) file called ‘ClassicExplorerSettings.exe’ belonging to Classic Shell, which is a freeware utility used to customize the look of the Windows system.

The Mustang Panda attack chain is reliant on the DLL sideloading technique previously used in their campaign targeting Myanmar, where the hacker plants both a legitimate executable and a payload alongside each other, a technique which is designed to take advantage of the search order of a program as soon as the legitimate application has been invoked. Once the shortcut file is executed, the legitimate application will be launched and the malicious DLL loader will also get invoked.

‘ClassicExplorer32.dll’ is planted in the same directory as ‘test11.bpu’ to abuse the search order once the executable is invoked, according to BlackBerry researchers. The purpose of the DLL is to load the ‘ClassicExplorerLog.dat’ file and execute the shellcode within it. Interestingly, the loader used seems to have a subtle change in how the shellcode is decrypted and executed.

“Mustang Panda DLL loaders reported by Secureworks back in September were utilizing the EnumThreadWindows API to pass execution to the start of the malicious payload file,” the post said. “In these more recent samples, the DLL loader uses the EnumSystemCodePagesW API to execute the shellcode similarly. A pointer to the already decrypted shellcode is passed to EnumSystemCodePagesW API as an application-defined callback function. The use of the EnumSystemCodePagesW API was mentioned in a Twitter thread by ‘kienbigmummy’ and also seen in a Black Hat Asia presentation. The purpose of the shellcode is to decrypt and execute the final malicious payload – PlugX – in memory,” it added.

Once the PlugX payload has been decrypted and execution is passed to the payload, the researchers said they can see the config also get decrypted into memory. “Here we can see the IP address 5[dot]34[dot]178[dot]156, the campaign ID of ‘test222,’ as well as the name of the decoy document that gets displayed to the victim,” they added.

BlackBerry also revealed that the C2 IP address – 5[dot]34[dot]178[dot]156 – was seen to be hosting a service on port 443 with a unique SSL certificate. “The SSL certificate was first seen being associated with this IP from the period 2022-10-07 to 2022-10-30,” the post added.

The researchers also said that pivoting on the certificate showed 15 other IP addresses utilizing the same SSL certificate. “Five of these were being used as C2 servers for the same attack chain delivering lures/decoys in the form of RAR files, in the hopes of the victims executing PlugX malware in memory. The lures all varied but all aligned with the previous campaigns associated with Mustang Panda,” they added.

In conclusion, the researchers revealed that Mustang Panda continues to utilize well-thought-out lures related to current events to deliver the PlugX malware that the group is synonymous with. “While Mustang Panda has stayed within their typical TTPs with PlugX, including custom lures, double extensions, and infrastructure re-use, they do make subtle changes along the way in the hope of evading detection. The historical data associated with the pivoted SSL certificate shows it being first seen on 2022-02-27. It is still being actively used at the time of writing,” they added.

In May, Check Point researchers revealed details of a targeted campaign that has been using sanctions-related baits to attack at least two Russian defense research institutes. The activity was attributed with high confidence to a Chinese threat actor, with possible connections to Stone Panda (aka APT10), a nation-state-backed hacker, and Mustang Panda, another proficient China-based cyber espionage threat actor.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.