The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Picus Labs has updated the Picus Threat Library with new attack methods for malware samples used in the Operation Dianxun espionage campaign of the Mustang Panda (also known as Bronze President, TEMP.Hex, HoneyMyte, and Red Lich) Advanced Persistent Threat (APT) Group, which has been active throughout 2014. Mustang Panda is a China-originated threat actor that has mainly targeted countries in Asia, Europe, and North America. The majority of the group's targets are in telecommunications, aviation, government, NGOs, and think tanks.
Mustang Panda utilizes a bunch of tools in its attack campaigns, including Red Delta Loader and Cobalt Strike beacons.
Operation Dianxun APT Campaign
This operation has been used for espionage purposes to access sensitive data and to spy on companies related to 5G technology [1]. It is believed that the attackers used a phishing website masquerading as the Huawei company career page. This operation uses a dropper which seems like an Adobe Flash Player. This dropper spreads a cobalt strike beacon into victim targets.
Picus Labs has updated the Picus Threat Library with the following malicious documents used in the Operation Dianxun of the Mustang Panda APT group:
Picus ID |
Threat Name |
778018 |
Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-1 |
465445 |
Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-2 |
605412 |
Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-3 |
434099 |
Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-4 |
697029 |
Cobalt Strike Beacon Downloader used by Mustang Panda Threat Group in Dianxun Campaign .EXE Variant-5 |
This attack includes downloading a .exe file of a Cobalt Strike Beacon dropper used by the Mustang Panda group in the Dianxun campaign. Operation Dianxun targets telecommunication companies. The tactics, techniques, and procedures (TTPs) used in the attack are like those observed in earlier campaigns publicly attributed to the threat actors RedDelta and Mustang Panda. This operation has been used for espionage purposes to access sensitive data and to spy on companies related to 5G technology. Samples of this attack are injected into explorer, into remote processes, and interact with the primary disk partition (DR0). They also spawn a lot of processes and modify file/console tracing settings (often used to hide footprints on the system) and read the active computer name. Lastly, these samples try to communicate with C2 servers.
Other Threats of Mustang Panda in Picus Threat Library
Picus Threat Library consists of 7 threats of the Mustang Panda threat group, including:
- InstallFlashPlayer Loader Malware used by Mustang Panda Threat Group
- RAT Malware used by Mustang Panda Threat Group
MITRE ATT&CK Techniques used by Mustang Panda
- T1053 - Scheduled Task
- T1047 - Windows Management Instrumentation
- T1036 - Masquerading
- T1112 - Modify Registry
- T1406 - Obfuscation of Files or Information
- T1218.011 - Signed Binary Proxy Execution
- T1518 - Software Discovery
References
[1] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-defenders-blog-operation-dianxun/