China-linked APT Mustang Panda Upgrades Tools in Its Arsenal
In recent attacks targeting Europe, Asia, and Australia, China-linked Advanced Persistent Threat (APT) group Mustang Panda has deployed a new custom backdoor, MQsTTang, marking an upgrade to its arsenal of tools. This new development highlights the group's ongoing efforts to refine their tactics, techniques, and procedures (TTPs) for enhanced stealth and functionality.
A Brief Overview of Mustang Panda
Mustang Panda has been active since at least 2012, targeting American and European entities such as government organizations, think tanks, NGOs, and even Catholic organizations at the Vatican. Past campaigns were focused on Asian countries, including Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar.
New Malware Deployment
In the 2022 campaigns, threat actors used European Union reports on the conflict in Ukraine and Ukrainian government reports as lures. Upon opening these reports, the infection process starts leading to the deployment of malware on the victim's system. In February 2024, Trend Micro researchers observed the group targeting Asian countries, including Taiwan, Vietnam, and Malaysia.
New Variants of ToneShell Backdoor
The Zscaler ThreatLabz team recently identified new activity linked to the Mustang Panda, originating from two machines within a targeted organization in Myanmar. This investigation uncovered new variants of the ToneShell backdoor and several previously undocumented tools, including StarProxy, Paklog, and Corklog keyloggers, and the SplatCloak EDR evasion driver.
DLL Sideloading for Stealthy Execution
The APT employs DLL sideloading by packaging malicious libraries with vulnerable executables, enabling stealthy execution of payloads and evasion of detection. The experts analyzed three distinct variants of the ToneShell backdoor, each utilizing DLL sideloading to execute malicious payloads.
Key Features Across the Three Variants
The adaptations reflect Mustang Panda's ongoing efforts to refine the tools in their arsenal for enhanced stealth and functionality. Key features across the three variants include:
- Custom XOR-based algorithm encryption
- FakeTLS proxying for lateral movement
- Command-line arguments specifying IP addresses and ports for data relay
- DLL sideloading for stealthy execution
- Client identifier creation and storage methods
StarProxy: A Post-Compromise Tool
ThreatLabz researchers have identified a new tool, named StarProxy, used by Mustang Panda for lateral movement. Discovered within a RAR archive containing a legitimate executable (IsoBurner.exe) and a malicious DLL (StarBurn.dll), StarProxy employs DLL sideloading to activate upon execution.
Once active, it proxies traffic between infected devices and command-and-control servers using TCP sockets and FakeTLS, encrypting data with the custom XOR-based algorithm. Command-line arguments specify IP addresses and ports, facilitating data relay through compromised machines. This design suggests its use as a post-compromise tool to access systems not directly reachable over the Internet.
Conclusion
"ToneShell, a backdoor used by Mustang Panda, has been updated with changes to its FakeTLS command-and-control (C2) communication protocol as well as to the methods for creating and storing client identifiers," concludes the report. "Mustang Panda remains active in targeting organizations and individuals in Myanmar." The report includes Indicators of Compromise (IOCs) for this threat.
Additional Analysis
Zscaler also published a Part 2 analysis, which provides additional details about the two new keyloggers and an EDR evasion driver employed by the APT group. Follow me on Twitter: @securityaffairs and Facebook and Mastodon for more updates on this developing threat landscape.