Chinese state-sponsored cybercriminal Mustang Panda (also known as LuminousMoth, Camaro Dragon, HoneyMyte and more) is launching malware campaigns targeting high-value targets, including government agencies in Asia.
The group used a variant of the HIUPAN worm to deliver PUBLOAD malware into its targets’ networks via removable drives. The HIUPAN worm moved all of its files to a hidden directory to hide its presence, leaving only one seemingly legitimate file visible (“USBConfig.exe”) to trick the user.
The PUBLOAD tool was used as the primary control for the campaign, exfiltrating data and sending it to the threat actor’s remote server. PTSOCKET was often used as an alternative data extraction tool.
A familiar story
A research by TrendMicro describes the advancements in Mustang Panda malware implementation, specifically in its use against military, government, and educational institutions in the APAC region.
This is a change from recent reports published by the organization. using WispRider variants to perform similar DLL sideloading techniques via USB drives. The previous campaign reportedly infected devices worldwide, including in the UK, Russia, and India.
The group was also linked to a spearphishing campaign in June of this year, demonstrating its ability to exploit Microsoft’s cloud services and leverage multi-stage downloaders. The group remains very active in the cyber landscape and looks set to remain active for the foreseeable future.
This is one of several suspected Chinese state-sponsored attacks in recent times, with campaigns against a series of targetsincluding Russian government devices compromised by phishing attacks.
Via BleepingComputer