Avast recently spotted a unique stager sample, allegedly used by Mustang Panda. An analysis of the distribution point revealed malicious toolsets that serve as temporary storage for tons of exfiltrated data.

Diving into details

The distribution point is an FTP server that is a transition point for the variety of data exfiltrated daily, including webmail, recordings, and documents. 
  • The primary targets include the Burmese government and victims associated with Myanmar. The hackers were found dumping Asian, European, and American passports belonging to diplomats and citizens applying for the Burmese visa. 
  • Other targets include the Office of the State Administrative Council, Myanmar Police Force, the Office of the Information Police Chief, the Department of Special Investigation, Myanmar Armed Forces, the Bureau of Air Defense, the United Wa State Army, and Myanmar Army Engineering.

Previous campaigns - what’s the connection?

  • The researchers discovered similarly or matching files with Hodur, the Korplug variant. This campaign targeted multiple government agencies in Myanmar, Vietnam, and Mongolia. 
  • Other samples were found sharing similarities with campaigns by the LuminousMoth group, another Chinese APT. Similarities exist in the usage of the same binaries for sideloading and the same exfiltration pattern. However, the usage of a USB launcher written in Delphi was the most common pattern, which has been attributed to Mustang Panda. 
  • In some cases, researchers found slight links to older campaigns, such as Operation NightScout or Operation Harvest. Since the specific payloads vary significantly, some of the samples could be attributed to Mustang Panda with high confidence.

The bottom line

Mustang Panda is a notorious APT group and the discovery of such a volume of samples used to propagate malware is concerning. While the tools in the gang’s arsenal are mostly simple, some require further analysis and are more complicated. The attackers have been targeting high-profile Burmese entities, along with the opposition and some NGOs. The researchers warn that due to the high volume of exfiltrated data and the language barrier, the list of targets is incomplete and hence, Myanmar should be careful.
Cyware Publisher