Amid Military Buildup, China Deploys Mustang Panda in the Philippines

During a dramatic military buildup in the South China Sea this summer, a Chinese state-linked advanced persistent threat (APT) managed to compromise an entity within the Philippine government using a remarkably simple sideloading technique.

The culprit, Mustang Panda — known variously as Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, Red Delta, and tracked by Palo Alto Networks' Unit 42 as Stately Taurus — has spied on high-profile government and government-adjacent organizations over the Web since at least 2012.

In one recent case, outlined by Unit 42 on Nov. 17, the group carried out three similar campaigns against South Pacific organizations, including one which led to successful five-day compromise of the Philippine government organization.

Mustang Panda's Simple TTPs

Beginning in early August, when the Chinese coast guard blocked and fired water cannons at Philippine supply ships, the two South Pacific nations engaged in a months-long, increasingly serious melodrama of the kind often seen in the South China Sea.

During the military tête-à-tête, it seems, China's hackers were simultaneously attacking Philippine organizations in cyberspace.

During the first half of the month, China's Mustang Panda conducted three attacks in the South Pacific which, aside from a few minor differences, followed largely the same playbook.

Each began with a ZIP file. "We typically see actors host their malicious files with cloud storage providers and then entice victims to click a link, often to a trusted storage platform in a phishing email to download the files," notes Pete Renals, senior manager at Unit 42 at Palo Alto Networks. For example, "for the first campaign, the files were found to be hosted on Google Drive for download."

The malware package would be given a legitimate sounding name, like "NUG's Foreign Policy Strategy.zip." Once extracted, it would reveal just one EXE file with a similarly legitimate sounding name like "Labour Statement.exe."

The file would be no more than a renamed copy of Solid PDF Creator, a legitimate application for converting documents to PDFs. The trick was that launching the app would sideload a second file — a dynamic link library (DLL), hidden inside of the original ZIP. The DLL would provide the attackers a point to which they could establish command-and-control (C2).

Dealing With Mustang Panda

Throughout the month of August, Mustang Panda conducted its espionage from one of its known IP addresses based in Malaysia. It thinly attempted to mask its malicious traffic by mimicking a Microsoft domain, "wcpstatic.microsoft[.]com."

Multiple such malicious communications were sent between the IP address in question and the Philippine government entity, between the period of Aug. 10-15. The exact data that might have been transferred in that period, or in any related August attack, remains unknown.

While Mustang Panda's tactics may seem rudimentary at first, Renals warns that they're still effective, and organizations still need to be cautious.

"APTs using DLL sideloading to deliver malware is not new or novel. However, the continued use of this technique by Stately Taurus actors, combined with minimal detection rates across platforms like VirusTotal, demonstrates that this technique continues to be an effective tool enabling their operations," he concludes.