Chinese state-sponsored threat actor Mustang Panda (also known as LuminousMoth, Camaro Dragon, HoneyMyte, and more), has been found launching malware campaigns against high value targets, including government agencies in Asia.
The group used a variant of the HIUPAN worm to deliver PUBLOAD malware into the networks of its targets via removable drives. The HIUPAN worm moved all its files into a hidden directory to obscure its presence, and left only one seemingly legitimate file visible (“USBConfig.exe”) to trick the user.
The PUBLOAD tool was used as the primary control for the campaign, used to exfiltrate data and send to the threat actor’s remote server. PTSOCKET was often used as an alternative data extraction tool.
A familiar story
An investigation by TrendMicro outlines the advancement in the malware deployment from Mustang Panda, especially in the use against military, government, and education agencies in the APAC region.
This is a change from the recent reports the organization was using WispRider variants to execute similar DLL sideloading techniques through USB drives. The previous campaign is said to have infected devices around the world, including in the UK, Russia, and India.
The group was also linked to a spear phishing campaign in June of this year, demonstrating its capabilities in exploiting Microsoft’s cloud services and leveraging multi-stage downloaders. The group remains highly active in the cyber landscape, and looks set to continue for the foreseeable future.
This is one of many suspected Chinese state-sponsored attacks in recent times, with campaigns against a range of targets, including Russian government devices compromised by phishing attacks.
Via BleepingComputer
