Suspected to be behind a series of cyber campaigns, the China-based threat actor known as Mustang Panda has allegedly targeted Myanmar's Ministry of Defence and Foreign Affairs. According to findings by CSIRT-CTI, the activities occurred in November 2023 and January 2024. The threat actor, active since at least 2012, has been identified by various names in the cybersecurity community, including BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus, and TEMP.Hex.
The attacks involved the use of legitimate software, including a binary developed by engineering firm Bernecker & Rainer (B&R) and a component of the Windows 10 upgrade assistant to sideload malicious dynamic-link libraries (DLLs). In November 2023, a phishing email with a booby-trapped ZIP archive attachment was employed to initiate the infection sequence. The attack utilized a legitimate executable signed by B&R and a DLL file to establish persistence, contact a command-and-control (C2) server, and retrieve a known backdoor called PUBLOAD, eventually leading to the deployment of the PlugX implant.
In another campaign observed in January 2024, an optical disc image was used to trigger a multi-stage process employing a bespoke loader called TONESHELL, likely deploying PlugX from a C2 server. The threat actors attempted to disguise the C2 traffic as Microsoft update traffic by manipulating headers.
The Stately Taurus operations are noted to align with the geopolitical interests of the Chinese government, and previous cyberespionage operations by Mustang Panda have targeted Myanmar in the past, coinciding with China's concerns about the impact of rebel attacks in northern Myanmar on trade routes and security along the Myanmar-China border.
0 comments:
Post a Comment