Summary:
Researchers at CrowdStrike Falcon Intelligence identified a previously unattributed TA group targeting a U.S.-based think tank with ties to China in April 2017 which revealed a larger campaign attributed to the China-based adversary Mustang Panda. Mustang Panda has likely been operational since 2014 targeting government organizations, nonprofits, religious institutions, and other NGOs across the U.S., Europe, Mongolia, Myanmar, Pakistan, Vietnam, and other regions with LNK files associated with the APT group. The activity of these newly-documented campaigns was conducted in May and April 2024 and communicated with the same C2 server. The adversary utilizes lures related to Tax Compliance and the education sector to convince victims to execute the LNK file in the May activity. In the identified activity from April 2024, the adversary used lures related to the education sector. The initial access technique is performed using spam emails with attachments. To evade detection and increase file size, threat actors (TA) have ingeniously embedded partial lure documents within the malicious LNK files. The threat actor used a double extension, where the LNK file was masquerading as a PDF document. The campaign utilizes rundll32 and DLL sideloading techniques to execute malicious DLLs on victim systems. This allows the threat actor to maintain persistence and further execute malicious shellcode. During analysis, the Command and Control (C&C) server remained inactive, preventing CRIL from observing any further responses. The threat actors behind this Mustang Panda are known to send the next stage of shellcode, which could potentially load the PlugX RAT. PlugX, a Remote Access Trojan (RAT) malware variant active since 2008, is a powerful backdoor that grants full control over the victim’s machine.

Security Officer Comments:
Mustang Panda’s Chinese affiliation suggests this activity cluster could be state-sponsored activity. Although Mustang Panda targeting organizations across multiple countries, this specific activity has an emphasized focus on Vietnam. By abusing legitimate tools like forfiles[.]exe to execute malicious code hosted from a C2 server, Mustang Panda is able to better evade detection. The threat actor’s utilization of tax compliance documents as a lure suggests that they are financially motivated.

Suggested Corrections:
Recommendations from Cyble Research and Intelligence Labs (CRIL) relevant to this campaign:

• This campaign reaches users via potential phishing campaigns, so exercise extreme caution when handling email attachments and external links. Always verify the legitimacy of the sender and links before opening them.
• The campaign abused the legitimate forfiles utility; hence, it is advised to monitor the activities conducted by the forfiles utility.
• Vigilantly monitor script execution originating from suspicious directory locations, as cyber attackers frequently leverage malicious scripts as integral components of their malware execution methodology.
• Implement application whitelisting to restrict rundll32.exe execution to authorized processes and paths, reducing the risk of malware launching LNK files through this method.
• Deploy robust antivirus and anti-malware solutions to detect and eliminate malicious executable files.
• Enhance system security by using strong, unique passwords for each account and enabling two-factor authentication whenever possible.
• Implement network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious actions to prevent potential breaches.
• Regularly back up data to ensure recovery in case of infection and keep users informed about the latest phishing and social engineering techniques used by cybercriminals.

This campaign’s relevant IOCs can be found here.

Link(s):
https://cyble.com/blog/vietnamese-entities-targeted-by-china-linked-mustang-panda-in-cyber-espionage/