Picus Threat Library Updated for Operation Dianxun Campaign of the Mustang Panda APT Group

Keep up to date with latest blog posts

Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used in the Operation Dianxun espionage campaign of the Mustang Panda (also known as Bronze President, TEMP.Hex, HoneyMyte, and Red Lich) Advanced Persistent Threat (APT) Group, which has been active throughout 2014. Mustang Panda is a China-originated threat actor that has mainly targeted countries in Asia, Europe, and North America. The majority of the group's targets are in telecommunications, aviation, government, NGOs, and think tanks.

Mustang Panda utilizes a bunch of tools in its attack campaigns, including Red Delta Loader and Cobalt Strike beacons.

Operation Dianxun APT Campaign

This operation has been used for espionage purposes to access sensitive data and to spy on companies related to 5G technology [1]. It is believed that the attackers used a phishing website masquerading as the Huawei company career page. This operation uses a dropper which seems like an Adobe Flash Player. This dropper spreads a cobalt strike beacon into victim targets.

Picus Labs has updated the Picus Threat Library with the following malicious documents used in the Operation Dianxun of the Mustang Panda APT group:

Picus ID

Threat Name

778018

Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-1

465445

Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-2

605412

Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-3

434099

Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-4

697029

Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-5

This attack includes downloading a .exe file of a Cobalt Strike Beacon dropper used by the Mustang Panda group in the Dianxun campaign. Operation Dianxun targets telecommunication companies. The tactics, techniques, and procedures (TTPs) used in the attack are like those observed in earlier campaigns publicly attributed to the threat actors RedDelta and Mustang Panda. This operation has been used for espionage purposes to access sensitive data and to spy on companies related to 5G technology. Samples of this attack are injected into explorer, into remote processes, and interact with the primary disk partition (DR0). They also spawn a lot of processes and modify file/console tracing settings (often used to hide footprints on the system) and read the active computer name. Lastly, these samples try to communicate with C2 servers.

Other Threats of Mustang Panda in Picus Threat Library

Picus Threat Library consists of 7 threats of the Mustang Panda threat group, including:

  • InstallFlashPlayer Loader Malware used by Mustang Panda Threat Group
  • RAT Malware used by Mustang Panda Threat Group

 MITRE ATT&CK Techniques used by Mustang Panda

  • T1053 - Scheduled Task
  • T1047 - Windows Management Instrumentation
  • T1036 - Masquerading 
  • T1112 - Modify Registry 
  • T1406 - Obfuscation of Files or Information 
  • T1218.011 - Signed Binary Proxy Execution
  • T1518 - Software Discovery

References

[1] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-defenders-blog-operation-dianxun/

 

Subscribe

Keep up to date with latest blog posts