Chinese state-sponsored threat actor Mustang Panda has resurfaced with a new malware campaign that uses self-propagating techniques through USB drives to further its cyber-espionage objectives. This group, known for its extensive cyber espionage activities, has targeted various government entities in the Asia-Pacific region using spear-phishing tactics to distribute malware, as reported by Trend Micro researchers on Sept. 9.
The use of malware-loaded USB drives has seen a resurgence amidst the COVID-19 pandemic, with Mustang Panda leveraging this method as a primary infection vector to infiltrate systems and exfiltrate data. The threat actor, also known as Camaro Dragon, Bronze President, Luminous Moth, Red Delta, Stately Taurus, and Earth Preta, has been collaborating with other Chinese actors on coordinated attacks, focusing mainly on cyber espionage efforts.
In their recent campaign, Mustang Panda introduced a new malware called PUBLOAD through a self-propagating variant of the HIUPAN worm, along with other tools like FDMTP and PTSOCKET, to control systems and steal data. The threat actor also launched a concurrent spear-phishing campaign targeting government organizations, including military, police departments, foreign affairs and welfare agencies, executive branches, and public education institutions. This fast-paced approach allows the group to infiltrate systems and extract data swiftly, leaving victims unaware of the intrusion until it’s too late.
Trend Micro researchers Lenart Bermejo, Sunny Lu, and Ted Lee highlighted the highly targeted and time-sensitive nature of Earth Preta’s attacks, particularly within the APAC region, where the group focuses on specific countries and sectors. The evolution in the group’s tactics is evident in the use of self-propagating worms via USB drives to distribute malware and achieve persistent control over targeted environments for data exfiltration.
The spear-phishing campaign observed by researchers in June delivers a multistage attack using malicious attachments to download and execute various malware components, culminating in the deployment of a backdoor called CBROVER. Mustang Panda’s exploitation of Microsoft’s cloud services for data exfiltration adds another layer of sophistication to their tactics. Countries likely targeted in these attacks include Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan.
As Earth Preta continues to be active in the APAC region, researchers advise maintaining vigilance and implementing updated defensive measures to defend against these increasingly sophisticated tactics. The list of indicators of compromise provided by the researchers serves as a guide for organizations to detect and mitigate potential threats from Mustang Panda and its cohorts. The group’s persistence and adaptability suggest that they will remain a significant threat in the foreseeable future.