Go to listing page

China-based Mustang Panda APT Targets Governments, NGOs, and Telecoms Globally

China-based Mustang Panda APT Targets Governments, NGOs, and Telecoms Globally

Share Blog Post

Origin: 2010

Aliases: Bronze President, HoneyMyte, Red Lich, TEMP.HEX, TA416, RedDelta, LuminousMoth, PKPLUG 

Key Target Sectors: NGO, Government, Telecommunication 

Attack Vectors: Spear-Phishing, Spam Email, DLL-sideloading, Luring

Target Region: North America, Western/Eastern Europe, Southern Asia, Central Asia, Eastern Asia, Africa, Oceania

Malware Used: PlugX, Hodur, Toneins, ToneShell, PubLoad, Poison Ivy

Vulnerabilities Exploited: CVE-2021-26855, CVE-2021-27065, CVE-2017-0199

Tools Used: Cobalt Strike

Overview

Mustang Panda (aka Bronze President) is a cyber espionage threat actor based in China. Like many other APT groups, Musang Panda is recognized by several names, such as HoneyMyte, Red Lich, TEMP.HEX, TA416, RedDelta, LuminousMoth, and PKPLUG. Its goal apparently is to provide China with the necessary intel to avoid bad press or influence policies in other nations. For instance, during the Russia-Ukraine war, the threat actor targeted European organizations via documents carrying topics and news related to Russia’s attack on Ukraine.

The threat actor is believed to be conducting operations since at least 2014, however, it was first spotted in 2017. The group is highly agile and keeps updating its attack tactics based on the change in objectives or the threat landscape. It is presumably one of the most active Chinese APT groups at present.

Attack Methods

Mustang Panda has been observed sending phishing emails with malicious document attachments as an initial infection vector. These documents are designed to mimic genuine documents related to the targeted government, NGO, or government entity. Upon gaining a foothold within the network of a target organization, hackers deploy a variety of payloads, such as Poison Ivy, Cobalt Strike, or PlugX, in their campaigns. Moreover, the threat group is capable of developing its own custom malicious loaders.

Below is the timeline of a variety of attack tactics the threat group has attempted so far:

2018
  • The threat group was found to be capable of rapidly incorporating new tools and tactics into its operations, as was observed by its use of exploit code for CVE-2017-0199 just a few days after public disclosure.

2020
  • During the height of the COVID-19 pandemic, Mustang Panda impersonated trusted bodies, such as the WHO, in phishing emails and claimed to offer free protective equipment and supplies to potential victims.
  • In June, the group was observed using Cobalt Strike with a jQuery C2 profile to download the final payload. It used fake resumes as lure documents in spear-phishing emails.
  • Next month, the group used spear-phishing emails laden with Windows executables enclosed in ZIP and RAR archives. 
  • In a different attack, it used a malicious DLL file that installed malware using DLL-sideloading. The final payload dropped was PlugX.

2021
  • In March, Mustang Panda was observed exploiting a Microsoft Exchange Server via one of the most severe and impactful chain of ProxyLogon bugs (CVE-2021-26855, CVE-2021-27065). In addition, the attackers used a living-off-the-land technique and used trusted binaries to evade antivirus detection. For instance, it was observed using the Microsoft Windows binary bitsadmin[.]exe to sharpen its attacks without raising any red flags.
  • In June, the group allegedly hacked the website of the Myanmar president’s office and planted a backdoor trojan in a localized Myanmar font package available for download. In December, the threat group was observed using the PlugX malware through USB drives to transfer data from air-gapped networks.

2022
  • In March, the APT group targeted European entities with lures associated with the Ukrainian invasion. The same month, the threat group was observed using web bugs to target victims before delivering malicious URLs used for installing a variety of PlugX malware payloads (such as Hodur). 
  • In April, cybercriminals used phishing lure documents written in English (but files named in the Russian language), supposed to be published by the European Union, and had details related to sanctions against Belarus.
  • In May, Mustang Panda hackers were observed using phishing emails to deliver fake official European Union and Ukrainian government reports that downloaded malware onto targeted machines.
  • In November, the threat group abused fake Google accounts to spread the malware via spear-phishing emails. The malware was embedded in an archive file (RAR, ZIP, JAR) and spread through Google Drive links. Users were then lured into clicking the malicious links, eventually downloading malware to execute Toneins, ToneShell, and PubLoad. 

Attack Profile

Since its inception in 2017, the threat group has spread its wings to target government entities, nonprofits, religious, and other Non-Governmental Organizations (NGOs) in the U.S., Europe, Myanmar, Mongolia, Vietnam, and Pakistan. Moreover, its strains have been found in the networks of NGOs and government agencies in Mongolia and the European region.

Attack Timeline

  • 2017
  • When Mustang Panda was just an unidentified threat group in 2017, it targeted a U.S.-based think tank. Further study revealed that the threat group has been targeting NGOs but using decoys and themes in the Mongolian language.

2020
  • In July, the group targeted members of the Hong Kong Catholic Church by impersonating communications from Vatican officials or news articles from the Union of Catholic Asian News.
  • In September, Taiwan's CERT observed the threat group impersonating medical authorities to attack the country's tech industry. 
  • In November, the attackers imitated journalists from the Union of Catholic Asia News.

2021
  • In June, it hacked the website of the Myanmar president’s office and planted a backdoor trojan. 
  • In July, it targeted hundreds of victims from Myanmar and the Philippines government. 
  • In December, it targeted government and private-sector organizations in Southeast Asia.

2022
  • Since early 2022, the threat group has been targeting entities across the European Union, Asia, the U.S., and Russia. 
  • In March, it targeted European entities with lures related to the Russian invasion of Ukraine. Most of the victims were located in East and Southeast Asia, Europe, and Africa. The targeted sectors include ISPs, research entities, and European diplomatic missions. 
  • In April, the threat group was observed targeting Russian officials with fake reports. 
  • In November, a wave of spear-phishing attacks was observed targeting the government, foundations, research, and academic sectors across the world. The malware families used in the campaign exhibit a connection with the Earth Preta (aka Mustang Panda).

Prevention

Mustang Panda is infamous for baiting its victims via spear-phishing email campaigns with geopolitical subject lines. Security teams are recommended to educate employees about how to handle suspicious emails as the first line of defense against cybercrimes. Besides, have you adopted a Threat Intelligence Platform (TIP) yet? Cyware Threat Intelligence eXchange, the industry’s most advanced TIP,  helps you step up your defense strategy through threat intel correlation and enrichment using intel generated from internal and external intel sources.

For instance, in the case of threat actors such as Mustang Panda, Cyware Threat Intelligence eXchange (CTIX)’s will help you gain comprehensive insights into the TTPs of the threat actor and automate proactive actioning on high-fidelity IOCs even before the attacker strikes.

Additionally, the CTIX platform uses a hub and spoke model of sharing information, enabling security teams to collaborate with ISACs, business units, subsidiaries, and vendors to share threat intelligence and proactively stop attacks.

Conclusion

Mustang Panda has a long history of targeting nations throughout Southeast Asia, however, the threat group has successfully left its imprints in other regions, including Europe, Central Asia, and North America. Experts surmise that the group will remain a potential threat in the future as well. To stay protected, organizations are suggested to stay vigilant for any possible attacks and be ready with adequate countermeasures.

Indicators of Compromise


November 2022
Distributed links
https[:]//drive[.]google[.]com/uc?id=1pJR6hvEcdZFNPS9BIuw2Egcp_gb-pvLR&export=download
https[:]//drive[.]google[.]com/uc?id=1t0Cxanp-cm9bOyOfrfu5BN1ya2CZs-3q&export=download
https[:]//drive[.]google[.]com/uc?id=12ZEERd58S25zxAWUF5tiBSPOswYgtU2j&export=download
https[:]//drive[.]google[.]com/uc?id=1OGNqBZNG57STWtoTIUwoBMFDIcu9AMh1&export=download
https[:]//drive[.]google[.]com/uc?id=1BG0F1NdkPZOY6w2Y0YEs6nMGYLvSJiQo&export=download
https[:]//drive[.]google[.]com/uc?id=1mQGqtxR8XzafPalD7hEUBZw-LHtPHeAG&export=download
https[:]//drive[.]google[.]com/uc?id=1mhv6sOKU1OmqrX3PRB7fme-STM8wCMw4&export=download
https[:]//www[.]dropbox[.]com/s/8zswaln4nm0neap/Action%20Plan%202022.zip?dl=1
http[:]//103[.]75[.]190[.]224/Enable_Adobe_Flash_Player[.]zip
https[:]//drive[.]google[.]com/uc?id=1xr-NUG2el_8wI6Lnvkp-q17rV3C_vxoC&export=download
https[:]//drive[.]google[.]com/uc?id=1fMn9S7VIn8BszBL-VcNdJF8SkKzwTRov&export=download
https[:]//drive[.]google[.]com/uc?id=14topBrJNM5J1m4h2bO3ihi5M6apWnx8S&export=download
https[:]//drive[.]google[.]com/uc?id=1aTbT-p28UK-KaYttQT3nIdynHnVdPS6w&export=download
https[:]//drive[.]google[.]com/uc?id=1roe1BE_Riy7AVbqtJZUxKTHkNvs3yn3a&export=download
https[:]//drive[.]google[.]com/uc?id=1g36jBkVLHubXsKrf9MaUkbRwBYv6Iu7-&export=download
https[:]//drive[.]google[.]com/uc?id=1UHAuqp6a3qNZfzF51-p3XBDYMkG77aYL&export=download
https[:]//drive[.]google[.]com/uc?id=1zlvioLjo9HjTVqP0fDBrkQnJACW9HABf&export=download
https[:]//drive[.]google[.]com/uc?id=1qWMPrQ_s55Y__9mBIRR1-Nw6oQiFdMII&export=download
https[:]//drive[.]google[.]com/uc?id=1072qv4eeKRZLRfiSsx0OfrRzBLk2f0Xe&export=download
https[:]//drive[.]google[.]com/uc?id=1KJ702ReZ_C_Z6sHzd2W1hciHjhSd9pH&export=download
https[:]//drive[.]google[.]com/uc?id=19eGOwbQZU8Qtvt2t5kqPdvRY7S_1N504&export=download
https[:]//drive[.]google[.]com/uc?id=1A6JFwcE0s9KFdLkdABgZmnavH709XCtM&export=download
https[:]//drive[.]google[.]com/uc?id=1PSKh4XIMoPCsLmsUvmqWJ67lyoQuOBgZ&export=download
https[:]//drive[.]google[.]com/file/d/1S6WhR8iIXTsKxroU6tY_PlJhDlA_0r_-/view?usp=drive_web
https[:]//drive[.]google[.]com/uc?id=1tf0_WX1Qak84rfylGEoo4YvlYU5Dd5vA&export=download
https[:]//drive[.]google[.]com/uc?id=1_kYWY8u9mLqNBfBQh53ZQSxAPFB_hWaf&export=download
https[:]//drive[.]google[.]com/uc?id=1vQWG_GdVcqM_pp_UbbEysuC_AGr4flFP&export=download
https[:]//drive[.]google[.]com/uc?id=1oyY0Fda3sqnogAIQQdkr3yDko5RJX67E&export=download
https[:]//drive[.]google[.]com/uc?id=1qKHgooWqJaaPxtEaPDbhaL0oD_NheOi6&export=download
https[:]//drive[.]google[.]com/file/d/1zHRbWBx1ZXNMetm7RxawRS2b55yF6337/view?usp=drive_web

SHA256
c0b9438186e27a1ebba214724a35195ce1f3fea41b6c0b69a10c649688371ec3 72b870a6914798b75bd45e483a47bf1c6eabd185ea577b621a23242a13ec58df 186c3d32b3674faaf2c59b780ec2e5aeedc48199beae07c69e7cc14180c3683b 1ba12162a50fd5acbb38d9d0a99efb3b43358457e3279b86954dfff39b5cde4d d8f54575aff075268200250b3ed4af1da894db2199432b7110605003c6afba4a 492fd69150d0cb6765e5201c144e26783b785242f4cf807d3425f8b8df060062
6478cbb620e1a6fe1fb7e9e15b37fdc10668aa5bf2c825b8cd65b129e6443e60 f2b10278aaa2dfc4344119551f624679b5a3d2501b39ec989b87690e0d357f42 dcefa4f651108d8371806403da4be9675797940faa580cc64f83116517c55ca7 ef3966d15af3665ee5126df394cefdf6f78fce77db7a70d5f35c19c234715035 2f2a8a001072f14c066bea15388af2155b02e0046180e450268db6bcdafa6e5a 262c6ad46bacd268900008d6cd32ea5bcfe032ffc0bf82e838e234cdca374d64 b2a86c5e1f0812483b0fdbde162457fd7ee71809a8a03c72762c037b1430115e 9ef78cdd09a9b6ddb095e2474d9b888f2d4854a1324c46ec1db368dde390fddc 064fe5bc15828693ac62cfd7e83f705d734e2554d2ff8ed82f701864512e7624 5d5c6d118ee90fe675a7d7bb8af9640bcc76caff9b2ebead4d06f74654f56260 536fa7a7bcc7ba39da329a1656a2ac0448a9f01885bf48de6f15f554ce7994ac 8912199477e11df4409f6400ceb7c0e4a91ce77679948372d7d81e07dec68942 229508972ad52e0ae1ff2d74fc70ebefd8b816e212ced849fbe6c1c2a1350ef6 447a62c7e29e2da85884b6e4aea80aca2cc5ba86694733ca397a2c8ba0f8e197 1ffee8c9aee944f72aa595c8feb7c745d0a509ca9542e26993076d2052474fc9 575bffe2a79606bbd91b6bb67224c2efda4fe34b4ce284996cfbf14c1cc79e0e aa2a59cbe6f82fb3a0df1e676cb7f5e098133f1f03e595aa28c40a01d0ad5ebd 04ad7451ee9e7e7fca594adb8d68644943255e3dde6f79d0f49b567420148867 dc95ea503b3b2085b24471b96c33bbcdf057baa3970a4080f965033ee862d4f0 ee3b19071abcdeeb47199b60764ae382d21b39633f9755e90abec8fdc0db5ef0 431c9d4093a2def74a5e6a08b749455cb398ceab6cc887593b1d342f803e2027
05d310c386edcd277b69d4ee8b956d710b966eca961a512f01dc9503a8eae0b6 2ec0031743443ab69d38d6d3a8b39824a5ae804bbece8cdfc0c6c691fce31349 fdd77d852e2f9fb34724c0ebb5c22acf655fb2787d91c24a7040822aa81b1c81 a0fb562c8a2697a6d981cd281e661bd88fcec23cce34c9d31d081a942e8a45fe

Trojan.Win32.TONEINS
SHA256
9b6c76fa7518727d0031d4df694fb934dd5619a64a736d1643e56d89d32dc428
6b452b2b1c68fe9957f6b2371898fe39a820cf3b5a6f338f5fb2f9639aaf886e d16b3f4cd6271c613a2c9184242b76df96cac0985bf9c4ff330f75e831c1e8f9 21056092f307fdc39c04459f0caf2402c632cc9270b40a6b9449b0bd7f5047bf 510ac911c71704d21f5363441571af6f93ab11810aa0900bfc558494521015cf fde817b21f7495a28616609b0a87703bf1eb4a2b7c04ef7982d4610166b81eea 37367b193e5c927976472655d3de5684d3cf3bbb7bccdb380f336d1771a49017 a54152723492d3efd9e2fbf64d6d8599766962d001cc0f21450bfa956862fbf4 fa5c1ae296c7d25701a91d8e390b1187481a5143fb10c4c3935a547e6c792d76
4fe16d20796fb1b1803d4862e74bfee25b77f62a664ae7cb060421a185da8709
22ab2ec8793d9e51b28a033f7b60fc33c6d7e943f15883913654bff81f6c28eb 65d2406d9149f6a55a8550ffc72a5ccf1866e293801e9348f1df08a846423fb2
d608e9c9892303fc5c551611d028e6994a198dd77cc4d529911961d10bb4b204 ce87ae6962e28bb7f904d448d62b0101547dc8cdf37f095a546eb899bfcec5cc e6e291dc2906b2167143e3b9b433696f52ae6a95d687f3c72e2f752928fa41ef
1a30f00ce5b8ce1f05a7938ada8c85e130f25986efcc61432c28a5bc29c47d90
21f79743184783aeee30bfb06cb585f6b258459a329d07942f5f743d47708e05 28f9661d8e89741574a39d57b5602f5662ec7950b721d7eb2f91e84e7040ce3b

Backdoor.Win32.TONESHELL
SHA256
5a70f5b647ecc08bb8556a22f464a89d8d1e5ce535d84cf6162bea0434a7358a 21cc217f89008f3f0fbae731671fe4927c9047f59ff3100c7dadf03e62139874 78c70e6531ab86934d5dca8f100084b326ed0ab74541b1535f4bb7431bfea728 f731b25c32963507d307255237d4c52095c5714ef15cdcf6f923bb47d717e95f 02b52914afd13e1c91be5c61936c81a24ce3b4b0de4132d3ac96c5afd254716e
0f220ebbab71a8568eb0dfff22ea8c77cc05653580dc02ba86ca430c25f285ef 41a9207db41c21c871109514d45a846b00afedbf82e0f31e989460bfe20a1c81 f1aa3e3b09a8c84cbfaaaef076b3e19a79bb1a82ee5905a2358bc4d2167225de 030aedf498ee37fc9722238e43fd39f5cb984f0e6a86915d30eda69921de0d76 8f3a28336793f619d1ccd4974059ccfbf93be61cd05240d807ca94d42adeb101 033065cf18592ed41714866b1fc43aa9da55b46f13e4cbc60e8d027699baffe0
00b9d01d103f85170142e0f045a1943b10dfcc9d86a935d8853c6336d7055784 5ca7ccd312871a20cc5a35e3b115266fe8a9ceb3470844597d73a0ed8013c2b7 efd1a86330cecba5d8d038fba65ac8e76955ed724986aa87cd6ca9f72f6941c7 f8275f6f78618cb1de4fc4d0d288c5aa2967de74375cc82aa98d0392c71d537a 8c83975a37abdf726c0752d853224f594ab39b9fa167103fcfb7e797d027a0dc d79832bd6904f02c09094c0a6c3fd176c42727868138ebe2d3fada581d2da50a ecbe91ab9cf171411ef23ffa031e26be254e28b3bab698b8ec169bdc15a61c6b

Trojan.Win32.PUBLOAD
SHA256
c52828dbf62fc52ae750ada43c505c934f1faeb9c58d71c76bdb398a3fbbe1e2 966ab1c468e3fc7d8d8b2d73a9ca9a85d352a0db8043c5eab36dd304a5915812 cfa33741054fa661525cbff8375a17e5c91d7411a9c18f78c7d0cdf8a24ab207 f99560a6a6bcf3f0c4dbe5d3957e942eb4dfa88f5e9d59efa6ba017f5f626c31 10a746434abb8428c6b6a411d4dc069a89988a17a042e7f63fbfa867f3013cb3 b7c7d90d4fd0917f2ed1d60ee334f8077d9b6620bb4b52aab76c67d2db642dc7 ef54e266f8fc9eb97d71c76f2a53b65bef83fe5fc270fbfe83463f83678ff44c 1aafbe976c3559b61531910c75f9bb90176641f565f9810a18dcde9564241164 cd697ed22e3ece7ef2e203c28c297d7be0b5ef862c2fd1a0c2f9b0fd3cc4e90a 891335282ff2d45689cec8066eb5ed9167297e8d989529e8dc33e9ee1a7d4f86 df84d6c284dd39c2bfed6f8eb26149a4154396c27de50595ed5d80b428930dcd

C&C servers
89[.]38[.]225[.]151
103[.]15[.]29[.]179
202[.]53[.]148[.]24
103[.]15[.]28[.]208
202[.]58[.]105[.]38
98[.]142[.]251[.]29
202[.]53[.]148[.]26

Abused legitimate executables
SHA256
4761183bc8bff993a5551916eda73c84bb8f9eadd24c4c19587045bb91609a83 cb8a83b590893daa9b02b8e1a1c9afb68d6f2a82c9e0d2d2c63a36a510f6fda3
f11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe 404c4ab8ea4d0c05ac78038a7addb045861706832ea3a51dec8c39cfc15017d3 1442420937e6276905197078ae1b251a2e93eb42a40bbd6e6c8d9a981945391f f5dd40ed8b156d254c3c0daf6a770a1718848b6e21a911238f7ae2d08e16f4ab 765bca508d96c012d246ed92355ff4c287a201b61c9e4a3b3d19f855a2f6efc3 ff2be9643a7df7241768e7e439524d11618f2b8a8fbe47f2e94d6453b0e04dae b3f1c0bb367ef35c76ba11730a815bd5ecafcef4594f6724da18c1f4b99cede4 8cfb55087fa8e4c1e7bcc580d767cf2c884c1b8c890ad240c1e7009810af6736 52d617b4d5b7d04dd2394d4bb3ccc834b805d836ee50a8f3407de2d80a52b35e
2fc14451ef0ff0919995d46fedc7b7c7f9a9adbf9c40f6b36b480e637d581e6b 6a424a15d553d307d26d3d33f875a9a69117edfebe32bd2712b5750d98967353 412230d27ace8ecf6aa4aaab24c9aa4677e5831e2c2b74a27dab9265c3068781

Text/Comment
x and Taiwan

May 2022
SHA256
bee9c438aced1fb1ca7402ef8665ebe42cab6f5167204933eaa07b11d44641bb
dbdbc7ede98fa17c36ea8f0516cc50b138fbe63af659feb69990cc88bf7df0ad
18230e0cd6083387d74a01bfc9d17ee23c6b6ea925954b3d3c448c0abfc86bd2
19870dd4d8c6453d5bb6f3b2beccbbbe28c6f280b6a7ebf5e0785ec386170000
1d484ada6d7273ca26c5e695a38cb03f75dee458bcb0f61ea81a6c87d35a0fa0
668cc21387e01b87c438e778b3a08c964869ce2c7f22c59bcde6604112d77b2e
8a7fbafe9f3395272548e5aadeb1af07baeb65d7859e7a1560f580455d7b1fac
effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1
19870dd4d8c6453d5bb6f3b2beccbbbe28c6f280b6a7ebf5e0785ec386170000
6019e6ee3dee2ec798667ccb34a2ab8d70bf5960d35f55157a9cb535b00b243f
436d5bf9eba974a6e97f6f5159456c642e53213d7e4f8c75db5275b66fedd886
82df9817d0a8dca7491b0688397299943d9279e848cdc4a5446d3159d8d71e6f
ca622bdc2b66f0825890d36ec09e6a64e631638fd1792d792cfa02048c27c69f
a0e1a9d45ab7addf3762d3b872f6b21e8ce41a7ff290f5b8566a39d9ca51b09a
a07cece1fa9b3c813c0b6880b24a6494a9db83e138102da3bce30ebff51909c0
492fd69150d0cb6765e5201c144e26783b785242f4cf807d3425f8b8df060062
2fc14451ef0ff0919995d46fedc7b7c7f9a9adbf9c40f6b36b480e637d581e6b
94c5c12e03ce6694bdfb5053540f53942640e2aeea22f8ef7d4bc0066b594bca
1aafbe976c3559b61531910c75f9bb90176641f565f9810a18dcde9564241164
7ded20b7d2c0428641a6ac272c15b444b37bf833bbbea09dc931d649e6dc5277
76da9d0046fe76fc28b80c4c1062b17852264348fd873b7dd781f39491f911e0
e1dbe58393268d7ddabd4bed0cdedf0fbba85d4c3ef1300580ed4c74e147aa61
fac8de00f031299f6c698b34534d6523428b544aad6a40fdc4b000a04ee82e7
16dd94c228b5e2050d01edfe4849ca1388e9b3f811d39380f6ada3e75c69b353
6fd9d745faa77a58ac84a5a1ef360c7fc1e23b32d49ca9c3554a1edc4d761885
706e53480da95b17d0f9f0f5dc37a50c7abc3f954ce15b4733fd964b03910627
537ac2f79db06191222ba7ae7b7843f063600f87971b8dffc4a31459d6a144b1
3aa80dd8ffbc7b364234cdf0849b10bcead52004fc803a74afb1bd504d024305
aa8fb15d63bd22b2ff15a9f1b4f4422b3c6af026915168c81d7bb38c9be2ab78
567fb0e6e6667ce1674cbdfd0ab26a8a3f68979256ef6680facf1d2d50a25dba
1b520e4dea36830a94a0c4ff92568ff8a9f2fbe70a7cedc79e01cea5ba0145b0
4c727e21312355cd9a9f0e1e0bb8fc3379f487968a832d00ffde9d5a04b8da9d
76da9d0046fe76fc28b80c4c1062b17852264348fd873b7dd781f39491f911e0
017ef960616182daa1ffabc5d5470340cc45bbd5ab3455d74987a3ae478fa118
5851043b2c040fb3dce45c23fb9f3e8aefff48e0438dec7141999062d46c592d
e2aff9d2f5e75bdc09712722d919f2261f638b0b4da878e405b86b927dcaf1e3
537ac2f79db06191222ba7ae7b7843f063600f87971b8dffc4a31459d6a144b1
ec32ff0c049bd8812a35aeaaaae1f66eaf0ce8aefce535d142862ae89435c2e2
930b7a798e3279b7460e30ce2f3a2deccbc252f3ca213cb022f5b7e6a25a0867
6a5b0cfdaf402e94f892f66a0f53e347d427be4105ab22c1a9f259238c272b60
0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681
e3e3c28f7a96906e6c30f56e8e6b013e42b5113967d6fb054c32885501dfd1b7
235752f22f1a21e18e0833fc26e1cdb4834a56ee53ec7acb8a402129329c0cdd
afa06df5a2c33dc0bdf80bbe09dade421b3e8b5990a56246e0d7053d5668d917
fc8b2392b92860c7ca669d5274b65498ebd9c3992149cf6727d935c9d0fb48bb
c73c644aa671d76918b56f2ce0124a09156a521e293091b68e2763d2ed386e8f
98f139983882e443116863f795c1df50dae5ceb971075914dfee264dc1502a09
39f9157e24fa47c400d4047c1f6d9b4dbfd067288cfe5f5c0cc2e8449548a6e8
e4766d7e0c13f42cf1ce56efa07cee57889526f398efaae948ce487410d105f6
cab5fa13c8239e97c15b04b27f9b70fb8b561d31935af7b0680bb80aec12c813
aec41c4f461cd08efe1390c8de513e54f766a5903c3c1f67ac4a9c93a3213c6b
71d09abda31f0d7c7161cf6f371305023594bb3ef146aa9fbeab1f717885dd58
8a6da7e23267cadb1b8ec3996d662cbc71342f308ca6b65f545ce78612dfc9a7
86678ad613b4d05a8ad3013323875daa91c69b64411603187dd2bcc595d97a8e
033786a482641aa901a28a3e3c314dbe86723906cea15147629167d8364907f7
0492124645a667b1ca39002aff4b696871f12f7f21ab0a75816aaeb53ed2f78b
ce86d647df2da33c5992c790ddc0d302b56af8a0d7b1433639c235ff03bf09ad
cf7803d1546aab172d17345212cc4de9c2d98a9817c8f9c3770e64744e15e261
1d3e2eeaec0707e531593aa9aadaee0ee7757b67de43eae924fad122e86f60a0
aa9a8f143cf61118c96a3bf226c77a05072ccbef15e990c65e0a118eccbb47e6
c5455b708c1a1afe61aa5cff80dff19f07972a5b047fd398536c8377dc68a19b
1e629fe7c8911a9adbde2e35af4f6f9e60ee538638c82edbcbd7cce5ad2ff4ab
36afa5b3133667f2577687b3e83d7f6c009dd65864c20a408d860b3c6678df2a
71d09abda31f0d7c7161cf6f371305023594bb3ef146aa9fbeab1f717885dd58
3407c5d054491ecf28ea10ec24e30e75915ba6fd3b2656955e94a89b67e0567e
67d6267e0ee81e00f97b25a892d10bd9eeb68179eb7e1b9236fcb01ec3f50beb
e92e49b7af397f6f41a225b8778c6812f78c87f4388f527e6efda0dbe2b49251
2fd6e2ae0e4d78eef9d36376ac39768ec14e3bf8fe39c3ef6a347511b2cd55b1
a1a61052eac5fbe98f28ed6b3ed38a66d333aed3f14326bcd42d0fddcc18c519
a3e5473eb60e8dba6b97e626288b6742e141fa8a393ec7efeb7993449f84b14f
ec60594018da8717fa6b8d93fb919f08e7a8b07401fbce1abe7982c959f78424
fcf4efa82d477c924d42cc6b71aa672ab2381ca256769925ae34dabe2e77e025
b9adc1433ef7c6fee4d36f73b79744ad611d51a8e039d4c384dd453e33452d0f
9b7615b4c2c6ebdd283afb1dae4d951b7ef928939b98ffbe7dea49cc5c5eee02
951b09c559fdc1c447f3dc63870b5244c2b715d728e1318a62db64bc17dcb85d
4743ccff0b5dbc34027165e177143018b9ee9e3232496ca5d4fa5cd56b5646f6
302ae30d464d6958510dcc463e3c3d8339e38bf6ff84de6cd84866303d34c8a5
4d01691573542e1676fc09102ac3120d0eec37b6791f32ec103eb0d0ee2581c1
f863dab6504fa3c4c9f7534d264d13db95ea96679689cb7e5d0460eed8f59a37
61a194cd413614e5ac91d648a87ff6b7e78d2130f54eff8a05c4c9608a7ac3aa
2bce6eb2839569ba077e24468259aa2678677275c632a0d276dcb14566cc6fcf
4cf38636b0fd129c5cbb4be9cd2c8f7f401529cf17ad6853ff83a2fe36ca533b
150525f4490f43877f1281aaaccc9bce78452d556326105fb77db6156095c883
0459e62c5444896d5be404c559c834ba455fa5cae1689c70fc8c61bc15468681
24437d65bee4874fba99a2d57bf050ba719a69518160cebafbd8f7441368093a
d1f848a8477f171430b339acc4d0113660907705d85fa8ea4fbd9bf4ae20a116
acfd58369c0a7dbc866ad4ca9cb0fe69d017587af88297f1eaf62a9a8b1b74b4
5928048ed1d76df1ae4f3ede0e3da0b0006734f712a78036e6f4b6a78c05f0c6
a81719f585a9f40e4304c6ceb2292826676c2d3f7342e88b21f41139743436aa
02ec5c7a7ab17540164b4b499fa095e80113123b3ccba6dda59b5f7021b93e6b
c3d113bfc14a7148419d506e9bd8d44d897f3c71f8d81a63e3b2f4d843ad1c4c
1d72fdb8257a6ec78367f2512ceb18be480860320986845943776959cb4d3dd0
8f07bd408838182a0328ea44156ad47dd5b6ccdcfbd53209717d555ed69adedc
03c5f4cd4a0889f436cd1ac2634b2c76732ce7f280e294ab3a19e8c1e957f101
f76f1657205d7042fccfc811077bbada92c0fef735f158da35e7825da1cc6bec
92f1e5424d53e3f4516d4c831afe3d64e88ed265ec143fb32717f2323836d61b
0b949d6e2078771ed65ce1b81ae9b5619d24317846a4e67bb9494975049bf728
377d65bdbf2b323ef9b497b1d3e2f93521a9ce57d4f2d6c296b048ee1390173e
962bf22710ff07977e3ddad66117094a2cf1c0aefca3d7ed4ba947c62ee36491
bb2990a1bbc417cfec40d5f1a6a8b22cac0ef21aed869dd8503e28573cf84401
c26719156e644cee5e95133d31b30b80147494313e665d4243954435511f5c11
e751834f0dcd0cb1411142761fcb940c7ac18e0b851c625ee0bca38db170a17a
e3dc7be52151828d3be43fa6016bc7c134230315f0f2d3f2fdeb852b494da357
3a2aae4ad99f8aba7ff558c5b6ccee0366bcd8c69bc16eeb0aeb5f4f58340f0d
a6057292247d928e6adcda5a48983d8702372ce195fc50ea4496f67c6ca57e26
ce59d8cf4b6eca3420438e05b059d6f61cc484e6fb00b1b2a7033bf36446e683
508d6dd6c45027e3cda3d93364980f32ffc34c684a424c769954d741cf0d40d0
e0fc2cf31a0fd7f4bfa1ba453fd8f272784330de2ecba80104455252a931789b
2aeef18abf22b233de5515a95cdca5aa3cbc6c21e8d2f83a68214e7272f9d947
508d6dd6c45027e3cda3d93364980f32ffc34c684a424c769954d741cf0d40d0
f80d84a3f951a1b62d92a5a2799b149ed0aaca292364f101c1273f135c811565
887345540f1bf31c40755edcda2e3dd9fe640122fc9020f3873c895daa2378bf
4f29180005f3c2e776d1854722270287111ec073ab80dfc1b4dc1bc0d9337ddf
eef56bfc68959c6eaa66ab6abcaaf8fb54aa5b5a7da0866d97a1effeae0952b8
a265e0db5fe311dac60171e27011087bd64b467eb442986f343fe07410e8bf46
d7590ee95a46bc1ca7973a8f09efe23a5b00e54d6e65b95cb16acd17a0f127e8
ef3966d15af3665ee5126df394cefdf6f78fce77db7a70d5f35c19c234715035
ef54e266f8fc9eb97d71c76f2a53b65bef83fe5fc270fbfe83463f83678ff44c
df84d6c284dd39c2bfed6f8eb26149a4154396c27de50595ed5d80b428930dcd
ff1dcab09f24a4c314af3ee829f80127e5b54f5be2a13e812617f77d0deeef57
5009f65e7a8d84a9955d5adbdb86107b15304b1061bdaba5dd2ac2293dd8e6cb

IPs
101[.]36[.]125[.]203
103[.]159[.]132[.]70
103[.]15[.]28[.]145
103[.]15[.]28[.]208:443
103[.]15[.]28[.]208:80
103[.]200[.]97[.]150
103[.]75[.]190[.]50
103[.]91[.]64[.]134
107[.]167[.]64[.]4:443
107[.]178[.]71[.]211
110[.]42[.]64[.]64:24680
155[.]94[.]200[.]209
155[.]94[.]200[.]212
176[.]118[.]167[.]36
185[.]239[.]226[.]17
18[.]138[.]107[.]235
202[.]58[.]105[.]38:80
45[.]248[.]87[.]162
45[.]43[.]50[.]197
46[.]8[.]198[.]134
5[.]206[.]224[.]167
61[.]38[.]252[.]166
86[.]105[.]227[.]115
91[.]199[.]212[.]52:80
92[.]118[.]188[.]78
92[.]118[.]188[.]78:443
95[.]217[.]1[.]81

URLs
123[.]51[.]185[.]75/jquery-3[.]3[.]1[.]slim[.]min[.]js
fuckeryoumm[.]nmb[.]bet
hxxp[:]//103[.]107[.]104[.]19/2022/eu[.]docx
hxxp[:]//103[.]107[.]104[.]19/DocConvDll[.]dll
hxxp[:]//103[.]107[.]104[.]19/FontEDL[.]exe
hxxp[:]//103[.]107[.]104[.]19/FontLog[.]dat
hxxp[:]//103[.]15[.]28[.]145:6666/maps/overlaybfpr?q=san%20diego%20ca%20zoo
hxxp[:]//103[.]75[.]190[.]50:443/maps/overlaybfpr?q=san%20diego%20ca%20zoo
hxxp[:]//103[.]85[.]24[.]158/eeas[.]dat
hxxp[:]//107[.]178[.]71[.]211/eu/DocConvDll[.]dll
hxxp[:]//107[.]178[.]71[.]211/eu/FontEDL[.]exe
hxxp[:]//107[.]178[.]71[.]211/eu/FontLog[.]dat
hxxp[:]//107[.]178[.]71[.]211/eu/Report[.]pdf
hxxp[:]//155[.]94[.]200[.]206/images/branding/newtap[.]css
hxxp[:]//155[.]94[.]200[.]206/resources/Invitation[.]jpg
hxxp[:]//155[.]94[.]200[.]209/assets/mail/fonts/v1/fonts/last[.]jpg
hxxp[:]//155[.]94[.]200[.]211/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/server[.]gif
hxxp[:]//155[.]94[.]200[.]211/news/live/world-europe-60830013
hxxp[:]//45[.]154[.]14[.]235/2022/COVID-19%20travel%20restrictions%20EU%20reviews%20list%20of%20third%20countries[.]doc
hxxp[:]//45[.]154[.]14[.]235/2022/PotPlayer[.]dll
hxxp[:]//45[.]154[.]14[.]235/2022/PotPlayer[.]exe
hxxp[:]//45[.]154[.]14[.]235/2022/PotPlayerDB[.]dat
hxxp[:]//45[.]154[.]14[.]235/2023/PotPlayer[.]dll
hxxp[:]//45[.]154[.]14[.]235/2023/PotPlayer[.]dll
hxxp[:]//45[.]154[.]14[.]235/2023/PotPlayer[.]exe
hxxp[:]//45[.]154[.]14[.]235/2023/PotPlayerDB[.]dat
hxxp[:]//45[.]154[.]14[.]235/mfa/Council%20conclusions%20on%20the%20European%20security%20situation[.]pdf
hxxp[:]//45[.]154[.]14[.]235/PotPlayer[.]dll
hxxp[:]//45[.]154[.]14[.]235/PotPlayer[.]exe
hxxp[:]//45[.]154[.]14[.]235/PotPlayerDB[.]dat
hxxp[:]//45[.]154[.]14[.]235/State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece[.]pdf
hxxp[:]//95[.]217[.]1[.]81/maps/overlayBFPR
hxxp[:]//95[.]217[.]1[.]81/maps/overlaybfpr?q=san%20diego%20ca%20zoo
hxxp[:]//upespr[.]com/PotPlayer[.]exe
hxxp[:]//upespr[.]com/PotPlayerDB[.]dat
hxxp[:]//upespr[.]com/State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece[.]pdf
hxxp[:]//www[.]zyber-i[.]com/europa/2022[.]zip
hxxps[:]//45[.]154[.]14[.]235/2023/EU
hxxps[:]//45[.]154[.]14[.]235/2023/PotPlayer[.]dll
hxxps[:]//45[.]154[.]14[.]235/2023/PotPlayer[.]exe
hxxps[:]//45[.]154[.]14[.]235/2023/PotPlayerDB[.]dat
hxxps[:]//drive[.]google[.]com/uc?id=1BG0F1NdkPZOY6w2Y0YEs6nMGYLvSJiQo&export=download
hxxps[:]//drive[.]google[.]com/uc?id=1ITPqIFuWOQZ08RmMUDMmzWpg69_EbLTO
hxxps[:]//drive[.]google[.]com/uc?id=1NsauYfE3NaFmtI0M99RAe3DmOxO1bBak&export=download
hxxps[:]//drive[.]google[.]com/uc?id=1trg9KJtKJUkKHgP57AhJSirw83-nIwyu&export=download
hxxps[:]//president-office[.]gov[.]mm/sites/default/files/font/All-in-One_Pyidaungsu_Font[.]zip
hxxps[:]//www[.]president-office[.]gov[.]mm/sites/default/files/font/All-in-One_Pyidaungsu_Font[.]zip

 Tags

ta416
dll sideloading
telecoms firms
hong kong catholic church
spear phishing
threat intelligence platform
plugx
proxylogon
myanmar
non governmental organizations ngos

Posted on: January 23, 2023


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.