Mustang Panda hacking group takes advantage of Ukraine crisis in new attacks

Mustang Panda hacking group takes advantage of Ukraine crisis in new attacks

Trending 8 months ago 71

Researchers person exposed a Mustang Panda run that is taking vantage of the Russia-Ukraine struggle to dispersed caller malware.

On March 23, researchers from ESET said that Mustang Panda, a Chinese cyberespionage radical besides tracked arsenic TA416, RedDelta, and Bronze President, has been spreading a caller Korplug/PlugX Remote Access Trojan (RAT) variant. 

Korplug is simply a RAT antecedently utilized successful attacks against the Afghanistan and Tajikistan militaries, targets crossed Asia, and high-value organizations successful Russia. Researchers accidental that variants of the Trojan person been utilized by Chinese menace actors since astatine slightest 2012. 

The caller variant, however, has remained nether the radar until now. 

ESET has named the caller illustration Hodur. The caller mentation has immoderate similarities to Thor, a variant of the malware detected by Palo Alto Networks successful 2021 deployed during the Microsoft Exchange Server debacle.

Hodur is being dispersed done a phishing run leveraging topics of involvement successful Europe, including Russia's existent penetration of Ukraine. The onslaught question is inactive ongoing but has taken antithetic forms since August 2021 depending connected existent events. 

By adapting its phishing methods to see existent blistery topics, conflicts, and quality items, Mustang Panda has managed to successfully infiltrate probe organizations, net work providers (ISPs), and systems belonging to European diplomatic initiatives crossed countries including Mongolia, Vietnam, Myanmar, Greece, Russia, South Africa, and Cyprus.

While ESET is not definite of the campaign's source, phishing and watering spread attacks are apt arsenic the means for archetypal access. Custom downloaders for Hodur person been recovered successful respective decoy documents with names including:

  • Situation astatine the EU borders with Ukraine.exe
  • COVID-19 question restrictions EU reviews database of 3rd countries.exe
  • State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.exe

The decoys were besides packaged up with .doc and .PDF extensions. 

If an intended unfortunate opens the decoy papers and executes the package, a malicious .DLL file, an encrypted Korplug file, and an executable susceptible to DLL search-order hijacking onshore connected the people machine. 

The .exe record loads the .DLL and past the RAT is decrypted and unpacked. The Korplug RAT variant volition past found a backdoor, link to its command-and-control (C2) server, and execute reconnaissance connected the infected system. 

In different information quality this week, Google has removed a popular Android app from the Play Store aft Pradeo warned that the exertion contained a Trojan capable to harvest Facebook relationship credentials. 

Previous and related sum

Have a tip? Get successful interaction securely via WhatsApp | Signal astatine +447713 025 499, oregon implicit astatine Keybase: charlie0

style="display:block" data-ad-client="ca-pub-6050020371266145" data-ad-slot="7414032534" data-ad-format="auto" data-full-width-responsive="true">