A state-sponsored Chinese threat actor named Mustang Panda is targeting government organizations and researchers around the world with three malware variants hosted on Google Drive, Dropbox, and similar cloud storage (opens in new tab) Solutions.
Trend Micro researchers recently uncovered the new malware campaign, mainly targeting organizations in Australia, Japan, Taiwan, Myanmar and the Philippines.
Mustang Panda was initiated in March 2022 and lasted at least until October. The attackers created a phishing email and sent it to a fake address while the real victim stayed in the CC. In this way, the researchers suspect, the attackers wanted to minimize the likelihood of being caught by antivirus tools, email security solutions and the like.
Delivery of malicious archives
“The subject of the email may be empty or have the same name as the malicious archive,” the report said. “Instead of adding the victims’ addresses to the ‘To’ header of the email, the attackers used spoofed emails. Meanwhile, real victims’ addresses have been written into the “CC” header, likely escaping security analysis and slowing down investigations.”
To avoid detection, they also store the malware in a .ZIP or .RAR file on legitimate cloud storage solutions since these platforms are usually whitelisted by security tools. However, should the victim fall for the trick of downloading and executing the archive file, they would receive these three custom malware strains: PubLoad, ToneIns, and ToneShell.
> BlackByte ransomware now stores your data in the cloud
> Can cloud backup be hacked and is it immune to ransomware attacks?
> Here are the current best firewalls (opens in new tab)
PubLoad is a stager used to download the next stage payload from its C2 server. It also adds new registry keys and scheduled tasks to establish persistence. ToneIns is an installer for ToneShell, the main backdoor. Although the process may sound overly complex, it works as an anti-sandbox mechanism, the researchers explained, since the backdoor doesn’t run in a debugging environment.
The main task of the malware is to upload, download and execute files. Among other things, it can create shells for data exchange in the intranet or change the sleep configuration. The malware has acquired a few new features lately, the researchers say, suggesting that Mustang Panda is working hard to improve its toolkit and is becoming more dangerous by the day.
- These are the best identity theft protection programs available today
Above: Beeping computer (opens in new tab)
This article was previously published on Source link