Mustang Panda targets European diplomats using enhanced PlugX backdoor

For a detailed advisory, download the pdf file here

Mustang Panda, a Chinese cyberespionage group, has been targeting European diplomats with a revised version of the PlugX backdoor in an ongoing campaign linked to the ongoing conflict in Ukraine. The group, also known as RedDelta and TA416, has previously been observed targeting entities associated with the Vatican-Chinese Communist Party diplomatic ties, as well as other critical sectors in Asia, Europe, and the United States.

The group has been observed distributing phishing emails including links to dangerous Zip files housed on Dropbox. If the files are opened, they finally lead to the execution of PlugX on the victim’s device. Web bugs are used to profile users before distributing a variety of PlugX malware payloads through malicious URLs.  Previously, DLL search order hijacking was used to deploy PlugX, but in newer operations, the threat actor shifted to employing potplayermini.exe to start the hijacking process. In addition, the attackers improved the encoding process of their virus and enhanced its configuration possibilities.

The TTPs commonly used by Mustang Panda are:

TA0042 – Resource Development       TA0001 – Initial Access       TA0002 – Execution       TA0003 – Persistence       TA0004 – Privilege Escalation       TA0005 – Defense Evasion       TA0006 – Credential Access       TA0007 – Discovery       TA0008 – Lateral Movement       TA0009 – Collection       TA0011 – Command and ControlTA0010 – ExfiltrationT1583.001: Acquire Infrastructure: DomainsT1071.001: Application Layer Protocol: Web ProtocolsT1560.001: Archive Collected Data: Archive via UtilityT1560.003: Archive Collected Data: Archive via Custom MethodT1119: Automated CollectionT1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1059.001: Command and Scripting Interpreter: PowerShellT1059.003: Command and Scripting Interpreter: Windows Command ShellT1059.005: Command and Scripting Interpreter: Visual BasicT1074.001: Data Staged: Local Data StagingT1573.001: Encrypted Channel: Symmetric CryptographyT1546.003: Event Triggered Execution: Windows Management Instrumentation Event SubscriptionT1052.001: Exfiltration Over Physical Medium: Exfiltration over USBT1203: Exploitation for Client Execution T1083: File and Directory DiscoveryT1564.001: Hide Artifacts: Hidden Files and DirectoriesT1574.002: Hijack Execution Flow: DLL Side-LoadingT1070.004: Indicator Removal on Host: File DeletionT1105: Ingress Tool TransferT1036.005: Masquerading: Match Legitimate Name or LocationT1036.007: Masquerading: Double File ExtensionT1027: Obfuscated Files or InformationT1027.001: Binary PaddingT1003.003: OS Credential Dumping: NTDST1566.001: Phishing: Spearphishing AttachmentT1566.002: Phishing: Spearphishing LinkT1057: Process DiscoveryT1219: Remote Access SoftwareT1091: Replication Through Removable MediaT1053.005: Scheduled Task/Job: Scheduled TaskT1218.004: Signed Binary Proxy Execution: InstallUtilT1218.005: Signed Binary Proxy Execution: MshtaT1518: Software DiscoveryT1082: System Information DiscoveryT1016: System Network Configuration DiscoveryT1049: System Network Connections DiscoveryT1204.001: User Execution: Malicious LinkT1204.002: User Execution: Malicious FileT1047: Windows Management Instrumentation

Actor Details

Indicators of Compromise (IoCs)

References