The China-based threat actor known as Panda Mustang it is suspected to have targeted Myanmar’s Ministry of Defense and Foreign Affairs as part of a dual campaign designed to implement backdoors and remote access Trojans.
The findings come from the CSIRT-CTI, which said the activities took place in November 2023 and January 2024 after artifacts related to the attacks were uploaded to the VirusTotal platform.
“The most notable of these TTPs is the use of legitimate software, including a binary developed by the engineering firm Bernecker & Rainer (B&R) and a Windows 10 Update Assistant component to load dynamic-link libraries (DLLs) harmful,” CSIRT-CTI said.
Mustang Panda, which has been active since at least 2012, is also recognized by the cybersecurity community under the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus and TEMP.Hex.
In recent months, the adversary has been credited with attacks against an unnamed Southeast Asian government and the Philippines to provide backdoors capable of gathering sensitive information.
The November 2023 infection sequence begins with a phishing email containing a booby-trapped ZIP archive attachment containing a legitimate executable (“NDSC.exe Third Encounter Analysis”) originally signed by B&R Industrial Automation GmbH and a DLL file (“BrMod104 .dll”).
The attack exploits the fact that the binary is susceptible to DLL search order hijacking to sideload the rogue DLL and subsequently establish persistence and contact with a command and control (C2) server and retrieve a known backdoor called PUBLOAD, which, in turn, serves as a custom loader to release the PlugX implant.
“Threat actors attempt to disguise the [C2] traffic while Microsoft updates the traffic by adding the headers “Host: www.asia.microsoft.com” and “User-Agent: Windows-Update-Agent”,” CSIRT-CTI noted, mirroring a May 2023 campaign disclosed by Lab52.
On the other hand, the second campaign observed earlier this month uses an optical disk image (“ASEAN Notes.iso”) containing LNK shortcuts to trigger a multi-step process that uses another custom-made loader called TONESHELL to probably deploy PlugX from an inaccessible C2 ora-server system.
It is worth noting that a similar attack chain attributed to Mustang Panda was previously discovered by EclecticIQ in February 2023 during intrusions targeting government and public sector organizations in Asia and Europe.
“Following rebel attacks in northern Myanmar [in October 2023]China has expressed concern about its effects on trade routes and security around the Myanmar-China border,” CSIRT-CTI said.
“Taurus’ majestic operations are known to be in line with the Chinese government’s geopolitical interests, including multiple cyber espionage operations against Myanmar in the past.”