Amid Military Buildup, China Deploys Mustang Panda in the PhilippinesAmid Military Buildup, China Deploys Mustang Panda in the Philippines
China pairs cyber and kinetic attacks in the South Pacific as it continues to wrangle control of the South China Sea.
November 20, 2023
During a dramatic military buildup in the South China Sea this summer, a Chinese state-linked advanced persistent threat (APT) managed to compromise an entity within the Philippine government using a remarkably simple sideloading technique.
The culprit, Mustang Panda — known variously as Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, Red Delta, and tracked by Palo Alto Networks' Unit 42 as Stately Taurus — has spied on high-profile government and government-adjacent organizations over the Web since at least 2012.
In one recent case, outlined by Unit 42 on Nov. 17, the group carried out three similar campaigns against South Pacific organizations, including one which led to successful five-day compromise of the Philippine government organization.
Mustang Panda's Simple TTPs
Beginning in early August, when the Chinese coast guard blocked and fired water cannons at Philippine supply ships, the two South Pacific nations engaged in a months-long, increasingly serious melodrama of the kind often seen in the South China Sea.
During the military tête-à-tête, it seems, China's hackers were simultaneously attacking Philippine organizations in cyberspace.
During the first half of the month, China's Mustang Panda conducted three attacks in the South Pacific which, aside from a few minor differences, followed largely the same playbook.
Each began with a ZIP file. "We typically see actors host their malicious files with cloud storage providers and then entice victims to click a link, often to a trusted storage platform in a phishing email to download the files," notes Pete Renals, senior manager at Unit 42 at Palo Alto Networks. For example, "for the first campaign, the files were found to be hosted on Google Drive for download."
The malware package would be given a legitimate sounding name, like "NUG's Foreign Policy Strategy.zip." Once extracted, it would reveal just one EXE file with a similarly legitimate sounding name like "Labour Statement.exe."
The file would be no more than a renamed copy of Solid PDF Creator, a legitimate application for converting documents to PDFs. The trick was that launching the app would sideload a second file — a dynamic link library (DLL), hidden inside of the original ZIP. The DLL would provide the attackers a point to which they could establish command-and-control (C2).
Dealing With Mustang Panda
Throughout the month of August, Mustang Panda conducted its espionage from one of its known IP addresses based in Malaysia. It thinly attempted to mask its malicious traffic by mimicking a Microsoft domain, "wcpstatic.microsoft[.]com."
Multiple such malicious communications were sent between the IP address in question and the Philippine government entity, between the period of Aug. 10-15. The exact data that might have been transferred in that period, or in any related August attack, remains unknown.
While Mustang Panda's tactics may seem rudimentary at first, Renals warns that they're still effective, and organizations still need to be cautious.
"APTs using DLL sideloading to deliver malware is not new or novel. However, the continued use of this technique by Stately Taurus actors, combined with minimal detection rates across platforms like VirusTotal, demonstrates that this technique continues to be an effective tool enabling their operations," he concludes.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
Modernize your Security Operations with Human-Machine Intelligence
Quantifying the Gap Between Perceived Security and Comprehensive MITRE ATT&CK Coverage
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report