A sophisticated threat actor known as Mustang Panda has been implicated in a wave of spear-phishing attacks directed at key sectors including government, education, and research from May to October 2022. According to a recent report by cybersecurity firm Trend Micro, the targeted regions include countries in the Asia Pacific, such as Myanmar, Australia, the Philippines, Japan, and Taiwan.
Identified under several aliases including Bronze President, Earth Preta, HoneyMyte, and Red Lich, Mustang Panda is believed to originate from China and has been active since at least July 2018. This group is notorious for employing malware such as China Chopper and PlugX, which allows them to harvest sensitive data from compromised systems.
Evidence of Mustang Panda’s activities has been documented by cybersecurity organizations including ESET, Google, Proofpoint, Cisco Talos, and Secureworks, which note the group’s consistent use of PlugX and its variant, Hodur, to infect a broad spectrum of targets across Asia, Europe, the Middle East, and the Americas. Trend Micro’s latest analysis indicates that the group has adapted its techniques to circumvent detection, highlighting their usage of custom malware families such as TONEINS, TONESHELL, and PUBLOAD.
According to researchers, Mustang Panda has exploited counterfeit Google accounts to spread malware through spear-phishing emails, often embedding these malicious payloads in archive files hosted on Google Drive. The initial phase of these attacks typically involves enticing targeted organizations to download these files disguised as politically sensitive documents, a tactic designed to enhance the success of the phishing campaign.
In certain instances, the phishing emails originated from previously hijacked accounts belonging to targeted entities, showcasing the lengths Mustang Panda is willing to go to increase the efficacy of their operations. The stealthy execution of these attacks is made possible through DLL side-loading techniques that activate malware in the background while displaying an innocuous document to the user.
The culmination of these attack chains leads to the deployment of three distinct malware families: PUBLOAD, TONEINS, and TONESHELL. The latter serves as the main backdoor and is integrated through TONEINS, with earlier iterations of this malware identified as far back as September 2021, indicating ongoing refinement by the threat group.
Researchers emphasize that Earth Preta, synonymous with Mustang Panda, is adept at constructing proprietary loaders in conjunction with established tools like PlugX and Cobalt Strike to facilitate breaches. Once they penetrate a target’s defenses, the sensitive data harvested can, in turn, serve as leverage for subsequent attacks, drastically widening their operational impact in the affected regions.
