Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Geo Focus: Asia
Chinese Hackers Escalate Attacks on APAC Governments
Cyberespionage Group Adopts New Tools, Tactics for Data TheftSecurity researchers say China-based cyberespionage group Mustang Panda is stepping up attacks on government agencies in Asia, using new malware tools to breach networks and a reverse shell feature in Visual Studio Code software to gain a foothold in networks.
See Also: The Impact of Ransomware: On State and Local Government 2022
Two recent reports by Trend Micro and Palo Alto Network's threat intelligence arm, Unit 42, discovered the new tactics in recent attacks against high-value government agencies in Southeast Asia. Stolen data includes documents, spreadsheets, presentations and other sensitive information, which are typically sent to remote servers under the attackers' control.
New Malware Tools
According to the Trend Micro report, Mustang Panda - also known as Earth Preta, RedDelta, Luminous Moth and Camaro Dragon - is using spear-phishing campaigns to deliver new malware tools, including the FDMTP downloader and the PTSOCKET file transfer tool. The FDMTP downloader helps in downloading malicious files onto a victim’s system, initiating the infection, and the PTSOCKET file transfer tool allows attackers to transfer data between systems once they've infiltrated a network.
The two tools complement existing malware such as Pubload, which Mustang Panda has used in previous attacks. Together, the tools allow the group to infiltrate networks, collect data and exfiltrate stolen data.
Trend Micro's tracking shows that Earth Preta has also improved how it deploys malicious tools. Its enhanced spear-phishing tactics include using multistage downloaders such as Downbait and Pullbait, used to help introduce additional malware components that make the attack chain more sophisticated and harder to detect.
In the latest campaign, the group deployed a HIUPAN worm variant to spread its primary malware, Pubload, through removable drives. Pubload serves as the main control tool. Once it infects a system, it facilitates data collection and introduces secondary tools such as FDMTP for downloading additional malicious files and PTSOCKET for data transfer.
The campaign begins with a spear-phishing email containing a .url
attachment, which triggers the multistage malware deployment process.
Through the execution of a signed downloader tool called Downbait, the malware appears legitimate and trusted. Downbait uses multilayered XOR encryption, a technique that obscures or hides the malware's actions.
Once executed, Downbait downloads a decoy document and Pullbait to further the infection.
Pullbait downloads and executes a piece of malware called CBROVER, using DLL side-loading technique. CBROVER is the first-stage backdoor, gaining initial foothold into the compromised system. Once it is executed, it deploys Plugx, a more advanced and powerful backdoor.
Once inside a network, Earth Preta uses tools such as RAR and Filesac to collect and compress sensitive files. The attackers use both cURL and PTSOCKET for data exfiltration, depending on the complexity and size of the stolen information.
Visual Studio Code Bypass
Researchers at Unit 42 said they detected threat actors abusing the Visual Studio Code software's embedded reverse shell feature to execute arbitrary code and deliver additional payloads. The exploit enables threat actors to bypass security protections in Visual Studio Code to perform reconnaissance and steal sensitive data.
Unit 42 researchers believe the exploit is a continuation of an attack campaign detected in September that involved threat actors establishing long-term footholds within compromised networks belonging to a Southeast Asian government and exfiltrating sensitive documents.
The Vietnam government recently blamed Mustang Panda for two phishing campaigns in which hackers used tax compliance and education-related lures to target government, nonprofit and educational organizations (see: Vietnam Blames Mustang Panda for Espionage Attack).
Unit 42 Friday said the threat group used a Visual Studio Code flaw previously described by security researcher Truvis Thornton in a September blog post.
The exploit requires a threat actor to use the portable version of code.exe
, the executable file for Visual Studio Code, or an already installed version of the software. When an attacker runs the command, they receive a link to log in to GitHub with their own account and are then redirected to a Visual Studio Code web environment connected to a compromised machine, where they are permitted to execute commands and scripts and run new files.
Unit 42 said Mustang Panda used the exploit to deliver malware to compromised networks and used a script named startcode.bat
through a scheduled task to establish persistence within infected environments.
The cyberespionage group used a variant of the ToneShell backdoor - armed with persistence, networking and command execution components - to archive files for exfiltration and used a 13 character-long unique password to protect the RAR archives. Researchers found that the group used the same password during the previously documented campaign that targeted the same Southeast Asian government entity.
Unit 42 researchers also came across a parallel cyberespionage campaign targeting the same government entity using the ShadowPad backdoor, a modular malware used by multiple Chinese threat groups since 2017. Threat actors behind the campaign used the same network session to write Listeners.bat
and the ShadowPad backdoor and used the same 13-key password for the batch file that they used during attacks made with the ToneShell backdoor, indicating a credible link between the two campaigns.