Government, research, and academic institutions worldwide were targeted by a spearphishing campaign by state-funded Chinese hackers. As part of this campaign, hackers deliver custom malware that remains hidden in Google Drive.
Researchers attribute the attacks to a group of cyber espionage hackers known as Earth Preta (aka Mustang Panda, Bronze President, TA416) an APT group, and Trend Micro researchers monitored the operation of this group between March and October 2022.
In an attempt to deceive their targets into downloading custom malware from Google Drive, the Chinese hackers used malicious emails with several lures via Google accounts.
There were mainly organizations in the following countries targeted by the threat group:-
A majority of the messages which is around 84% that hackers sent to government and legal organizations had geopolitical themes and subjects.
Among multiple organizations here below we have mentioned the organizations that are mainly targeted:-
According to the Trend Micro report, Embedded links are linked to a Google Drive or Dropbox folder in order to circumvent security mechanisms. The two platforms have a good reputation and are legitimate, as a result, there is less suspicion surrounding them.
These links will take you to compressed files such as the ones listed below:-
Among the malware strains that are contained in the files are the following:-
While this malware campaign uses the above-mentioned three different strains of malware in order to target the victim.
If the subject of the email is empty or if the subject has the same name as the malicious archive, then it is likely to be a spam email. There were many malware-loading habits used by hackers, but side-loading DLLs was the most common approach.
Stagers like PubLoad do a great job of creating persistence through the following means: –
With the introduction of PubLoad, Mustang Panda has taken steps to further improve the tool by including more sophisticated mechanisms to combat analysis.
In the recent campaign, ToneIns was used as the main backdoor to install ToneShell. ToneShell is loaded onto the compromised system in order to evade detection and load obfuscated code in order to establish persistence.
The ToneShell backdoor loads directly into memory and functions as a standalone backdoor. Implementing custom exception handlers, provides obfuscation of the flow of code in order to obscure the code flow.
Mustang Panda TTPs have been used in this recent campaign, which is similar to those reported by Secureworks this year. As you can see from the latest campaign, hackers have acquired a better set of tools and are able to expand their capabilities enormously.
By doing so, it makes it easier for Chinese hackers to gather intelligence about their targets and to breach their security.
Despite having periods of concentrated activity, ESET’s March 2022 report revealed that Mustang Panda is a cyberespionage threat to the global industry regardless of its short-term bursts of focused activity across:-
Experts suggest the following recommendations as part of a mitigation plan for an organization:-
Azure Active Directory Security – Download Free E-Book
TikTok, the popular video-sharing app, has been banned in the United States and removed from…
MITRE has officially released D3FEND™ 1.0, a groundbreaking cybersecurity ontology designed to standardize the vocabulary…
A recently disclosed vulnerability in Palo Alto Networks' Expedition tool has raised significant security concerns,…
FlowerStorm is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms. Phishing…
VSCode Remote Tunnels, a legitimate feature of the popular development environment, are increasingly being used…
Amazon Web Services (AWS) has recently addressed two critical security vulnerabilities affecting its popular cloud-based…