Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2
Summary:
Zscaler ThreatLabz recently uncovered new espionage tools used by the China-linked group Mustang Panda, including two keyloggers named PAKLOG and CorKLOG, as well as an EDR evasion driver called SplatCloak. These tools were discovered on the same staging server previously used to distribute malware like ToneShell and StarProxy.
PAKLOG is a keylogger that captures keystrokes and clipboard activity using Windows APIs. It encodes the collected data with a custom character scheme and writes it to a local file. Lacking native data exfiltration functionality, PAKLOG appears to be used in conjunction with other tools to extract the information. It is delivered through a RAR archive that includes a legitimate binary used to sideload a malicious DLL, which initiates keylogging. CorKLOG is another keylogger that stores captured keystroke data in an encrypted file using a 48-character RC4 key. It establishes persistence either through services or scheduled tasks, depending on privilege level. While the intended DLL sideloading mechanism in the delivery package is flawed, the malware’s configuration and encryption logic show deliberate design. Decryption of embedded settings involves multiple XOR passes across the data using offsets in a shared key.
SplatCloak is a Windows kernel-mode driver intended to evade detection by disabling kernel-level callbacks used by Microsoft Defender and Kaspersky. It is deployed via a component named SplatDropper, which decrypts the driver, installs it as a Windows service, and then removes traces of itself. SplatDropper uses obfuscated API resolution based on hashing and generates random service names to evade detection and analysis. The SplatCloak driver works by parsing kernel structures to locate and neutralize callbacks responsible for process creation, thread creation, image loading, and registry operations. It identifies Windows Defender components by filename and disables associated callbacks. For Kaspersky, it inspects code signing certificates for identifying markers such as the keyword "kaspersky" and removes corresponding callbacks. For protected objects like PsProcessType and PsThreadType, the driver disables callbacks by toggling internal flags.
Security Officer Comments:
These tools share technical characteristics with previously known Mustang Panda malware, such as RC4 encryption, control flow flattening, and obfuscation techniques. The infrastructure hosting these new tools matches domains and servers tied to past operations. From a targeting perspective, Mustang Panda continues to focus on geopolitical entities, including NGOs and organizations in Myanmar, consistent with the group’s established behavior.
Suggested Corrections:
IOCs:
https://www.zscaler.com/blogs/secur...anda-arsenal-paklog-corklog-and-splatcloak-p2
1. Validate EDR and AV integrity: Regularly check that security tools are active and have not been tampered with or disabled.
2. Block DLL sideloading: Use application control to prevent sideloading attacks and block execution of unsigned or suspicious DLLs.
3. Monitor for persistence: Audit scheduled tasks and services for unusual names or frequent execution patterns.
4. Detect input logging: Alert on processes that use keylogging APIs or access clipboard data abnormally.
5. Block revoked drivers: Prevent loading of drivers signed with revoked certificates and enable Secure Boot to protect the kernel.
Link(s):
https://www.zscaler.com/blogs/secur...anda-arsenal-paklog-corklog-and-splatcloak-p2
Zscaler ThreatLabz recently uncovered new espionage tools used by the China-linked group Mustang Panda, including two keyloggers named PAKLOG and CorKLOG, as well as an EDR evasion driver called SplatCloak. These tools were discovered on the same staging server previously used to distribute malware like ToneShell and StarProxy.
PAKLOG is a keylogger that captures keystrokes and clipboard activity using Windows APIs. It encodes the collected data with a custom character scheme and writes it to a local file. Lacking native data exfiltration functionality, PAKLOG appears to be used in conjunction with other tools to extract the information. It is delivered through a RAR archive that includes a legitimate binary used to sideload a malicious DLL, which initiates keylogging. CorKLOG is another keylogger that stores captured keystroke data in an encrypted file using a 48-character RC4 key. It establishes persistence either through services or scheduled tasks, depending on privilege level. While the intended DLL sideloading mechanism in the delivery package is flawed, the malware’s configuration and encryption logic show deliberate design. Decryption of embedded settings involves multiple XOR passes across the data using offsets in a shared key.
SplatCloak is a Windows kernel-mode driver intended to evade detection by disabling kernel-level callbacks used by Microsoft Defender and Kaspersky. It is deployed via a component named SplatDropper, which decrypts the driver, installs it as a Windows service, and then removes traces of itself. SplatDropper uses obfuscated API resolution based on hashing and generates random service names to evade detection and analysis. The SplatCloak driver works by parsing kernel structures to locate and neutralize callbacks responsible for process creation, thread creation, image loading, and registry operations. It identifies Windows Defender components by filename and disables associated callbacks. For Kaspersky, it inspects code signing certificates for identifying markers such as the keyword "kaspersky" and removes corresponding callbacks. For protected objects like PsProcessType and PsThreadType, the driver disables callbacks by toggling internal flags.
Security Officer Comments:
These tools share technical characteristics with previously known Mustang Panda malware, such as RC4 encryption, control flow flattening, and obfuscation techniques. The infrastructure hosting these new tools matches domains and servers tied to past operations. From a targeting perspective, Mustang Panda continues to focus on geopolitical entities, including NGOs and organizations in Myanmar, consistent with the group’s established behavior.
Suggested Corrections:
IOCs:
https://www.zscaler.com/blogs/secur...anda-arsenal-paklog-corklog-and-splatcloak-p2
1. Validate EDR and AV integrity: Regularly check that security tools are active and have not been tampered with or disabled.
2. Block DLL sideloading: Use application control to prevent sideloading attacks and block execution of unsigned or suspicious DLLs.
3. Monitor for persistence: Audit scheduled tasks and services for unusual names or frequent execution patterns.
4. Detect input logging: Alert on processes that use keylogging APIs or access clipboard data abnormally.
5. Block revoked drivers: Prevent loading of drivers signed with revoked certificates and enable Secure Boot to protect the kernel.
Link(s):
https://www.zscaler.com/blogs/secur...anda-arsenal-paklog-corklog-and-splatcloak-p2