Amid Military Buildup, China Deploys Mustang Panda in the Philippines

China pairs cyber and kinetic attacks in the South Pacific as it continues to wrangle control of the South China Sea.

3 Min Read
Silhouette of boats and people swimming at sunset, Phillipines
Source: RooM the Agency via Alamy Stock Photo

During a dramatic military buildup in the South China Sea this summer, a Chinese state-linked advanced persistent threat (APT) managed to compromise an entity within the Philippine government using a remarkably simple sideloading technique.

The culprit, Mustang Panda — known variously as Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, Red Delta, and tracked by Palo Alto Networks' Unit 42 as Stately Taurus — has spied on high-profile government and government-adjacent organizations over the Web since at least 2012.

In one recent case, outlined by Unit 42 on Nov. 17, the group carried out three similar campaigns against South Pacific organizations, including one which led to successful five-day compromise of the Philippine government organization.

Mustang Panda's Simple TTPs

Beginning in early August, when the Chinese coast guard blocked and fired water cannons at Philippine supply ships, the two South Pacific nations engaged in a months-long, increasingly serious melodrama of the kind often seen in the South China Sea.

During the military tête-à-tête, it seems, China's hackers were simultaneously attacking Philippine organizations in cyberspace.

During the first half of the month, China's Mustang Panda conducted three attacks in the South Pacific which, aside from a few minor differences, followed largely the same playbook.

Each began with a ZIP file. "We typically see actors host their malicious files with cloud storage providers and then entice victims to click a link, often to a trusted storage platform in a phishing email to download the files," notes Pete Renals, senior manager at Unit 42 at Palo Alto Networks. For example, "for the first campaign, the files were found to be hosted on Google Drive for download."

The malware package would be given a legitimate sounding name, like "NUG's Foreign Policy Strategy.zip." Once extracted, it would reveal just one EXE file with a similarly legitimate sounding name like "Labour Statement.exe."

The file would be no more than a renamed copy of Solid PDF Creator, a legitimate application for converting documents to PDFs. The trick was that launching the app would sideload a second file — a dynamic link library (DLL), hidden inside of the original ZIP. The DLL would provide the attackers a point to which they could establish command-and-control (C2).

Dealing With Mustang Panda

Throughout the month of August, Mustang Panda conducted its espionage from one of its known IP addresses based in Malaysia. It thinly attempted to mask its malicious traffic by mimicking a Microsoft domain, "wcpstatic.microsoft[.]com."

Multiple such malicious communications were sent between the IP address in question and the Philippine government entity, between the period of Aug. 10-15. The exact data that might have been transferred in that period, or in any related August attack, remains unknown.

While Mustang Panda's tactics may seem rudimentary at first, Renals warns that they're still effective, and organizations still need to be cautious.

"APTs using DLL sideloading to deliver malware is not new or novel. However, the continued use of this technique by Stately Taurus actors, combined with minimal detection rates across platforms like VirusTotal, demonstrates that this technique continues to be an effective tool enabling their operations," he concludes.

About the Author

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights