Chinese APT group Mustang Panda targets European and Russian organizations

A cyberespionage group whose targeting has historically been aligned with China’s geopolitical interests has been targeting European and Russian entities using topical spear-phishing lures connected to the war in Ukraine.

The group, tracked as Mustang Panda, RedDelta, Bronze President or TA416 by different cybersecurity firms, has been active since at least 2012 and over the years has targeted organizations in EU member states, the United States and Asian countries where China has interests. The targets have included diplomatic entities, think tanks, non-governmental organizations (NGOs), religious organizations, telecommunication companies, and political activists.

The group is known for crafting its phishing lures based on current events that might be of interest to its targets. These have included the COVID-19 pandemic, international summits, and political topics. Recent attack campaigns observed this year by researchers from Cisco Talos and several other security firms used reports from EU institutions about the security situation in Europe both before and after Russia’s invasion of Ukraine.

According to a new report from Cisco Talos, in January the group used a lure document with conclusions from the Council of the European Union on the European security situation. After Russia invaded Ukraine at the end of February, the group switched lures to European Commission reports on the security situation at the border with Ukraine and later Belarus.

The researchers also spotted Mustang Panda distributing a malicious file with a Russian name referencing the Blagoveshchensk Border Guard Detachment. Blagoveshchensk is a city close to Russia’s border with China and is home to Russia’s 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This lure suggests the group was potentially targeting Russian-speaking officials or organizations with knowledge of the country’s military.

How Mustang Panda operates

Mustang Panda’s most used malicious implant is a Trojan program called PlugX and this continues to remain the group’s preferred spying tool. However, the ways in which it has been delivered and loaded on systems have evolved over time.

The attacks observed this year have primarily used a malicious downloader wrapped inside an archive. When unpacked and executed on a system, this downloader drops several components.

First, it opens the legitimate document expected by the target as a decoy. In the background it launches a benign executable whose only goal is to deploy a malicious DLL using DLL sideloading. DLL sideloading, also known as DLL search order hijacking, is a technique that relies on attackers planting a DLL file in a location and with a specific name that’s expected by a legitimate application or service with the purpose of the application loading it in memory instead of spawning a new unknown process that could trigger detection from security products.

The DLL is a loader itself and its goal is to further decrypt and load the final payload — usually a variant of PlugX, which is a modular Trojan that can load different plug-ins to extend its functionality. In March, researchers from security firm ESET reported attacks by Mustang Panda using a previously undocumented version of PlugX, also known as Korplug.

However, the Cisco Talos researchers warn that the group doesn’t always deploy PlugX and instead has been seen using other malware stagers, implants such as Meterpreter from the open-source penetration testing framework Metasploit, and even simple reverse shells.

In late February, Mustang Panda used a Ukrainian-themed executable with a name written in Ukrainian that roughly translates to “official statement from the National Security and Defense Council of Ukraine,” the researchers said. “This infection chain consisted of activating a simple, yet new, TCP-based reverse shell using cmd.exe.”

Meterpreter has been used by the group as an access mechanism to deploy additional payloads from command-and-control servers between 2019 and late 2021. Starting this year, the group seems to have shifted to using custom stagers in the form of DLLs in some of its campaigns. This was seen in February in an attack against targets in Southeast Asia through a campaign that used a malicious archive file pertaining to the ASEAN Summit as bait.

Another technique Mustang Panda used until March 2021 in its attack campaigns in Asia involved LNK (Windows shortcut) files instead of executables. The rogue LNK files contained all the components of the infection chain inside themselves. First, they extracted and executed a malicious BAT script which then extracted a JavaScript payload and executed it via Windows’ wscript.exe. The JS payload then extracted a malicious DLL-based stager that established a connection to a command-and-control server.

While the most-recent attacks used malicious executables stored inside archives as the first stage, Mustang Panda also used malicious Word documents (maldocs) in the past that relied on macros to execute a DLL payload and start the infection chain. Those past attacks primarily targeted organizations in Asia.

Mustang Panda is a versatile threat actor

All these techniques are worth mentioning because they showcase the versatility of the group and its ability to customize its delivery mechanisms and implants based on what might be most successful against its intended targets. The group could switch between these different components, shells, stagers and Trojans at any time.

“Over the years, Mustang Panda has evolved their tactics and implants to target a wide range of entities spanning multiple governments in three continents, including the European Union, the U.S., Asia, and pseudo allies such as Russia,” the Cisco Talos researchers said. “By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much long-term access as possible to conduct espionage and information theft.”