Mustang Panda Feeds Worm-Driven USB Attack Strategy

One of China's most prolific and well-known state-sponsored threat actors is back on the scene with new self-propagating malware that spreads through USB drives (along with other tools), to extend its cyber-espionage goals of system control and data exfiltration.

Mustang Panda also is using spear-phishing to spread multistage downloaders that deliver malware in its recent targeting of various government entities in the Asia-Pacific (APAC) region, Trend Micro researchers revealed in a blog post on Sept. 9.

Using malware-loaded USB drives is a strategy that experienced a revival during and in the wake of the COVID-19 pandemic, and Mustang Panda (aka Camaro Dragon, Bronze President, Luminous Moth, Red Delta, Stately Taurus, and, for Trend Micro, Earth Preta) is known for using it as a primary infection vector. The advanced persistent threat (APT) is mainly in the business of cyber espionage and has been known to collaborate with other Chinese actors on coordinated attacks. In fact, Trend Micro has recently reported a spate of fresh activity from Chinese threat actors in general, which may or may not be related.

Mustang Panda's Quick Attacks, Custom Malware

This time around, Mustang Panda is using the vector to deliver malware called PUBLOAD via a self-propagating variant of the worm HIUPAN, as well as other tools such as FDMTP and PTSOCKET to control systems and exfiltrate data. A concurrent spear-phishing campaign by the threat actor also is targeting the same victim demographic, using malicious attachments to distribute backdoors and other malware.

Specific targets in the campaigns include people in various government organizations: military, police departments, foreign affairs and welfare agencies, executive branches, and public education. Victims are often hit by a fast-paced approach that infiltrates their system and steals data before they have a clue as to what's happening, according to Trend Micro.

"Earth Preta’s attacks are highly targeted and time-sensitive, often involving rapid deployment and data exfiltration, with a focus on specific countries and sectors within the APAC region," Trend Micro researchers Lenart Bermejo, Sunny Lu, and Ted Lee wrote in the post.

Evolution of Previous APT Tactics

The new campaigns observed by Trend Micro have two distinct vectors for initial entry that show evolution in the group's typical tactics. The first is the deployment of the HIUPAN worm via USB drives to propagate PUBLOAD, which acts as a stager that can download the next-stage payload from a command-and-control (C2) server.

In previous campaigns, Mustang Panda used spear-phishing emails to deliver PUBLOAD, making the use of a self-propagating worm a novel tactic for the group. The ultimate goal of the USB campaign is to deliver end-stage malware to achieve control on a targeted environment for persistent data exfiltration.

"This HIUPAN variant has differences with the previously documented variant, which was used to propagate ACNSHELL, although its main utility within the attack chain stays the same," the researchers noted in the post.

The version of PUBLOAD used in the new campaigns is similar to ones previously delivered through spear-phishing and documented by Trend Micro. In this case, Mustang Panda is using PUBLOAD to introduce supplemental tools into the targets' environment, such as FDMTP to serve as a secondary control tool, and PTSOCKET, a which is used as an alternative exfiltration option.

Spear-Phishing Delivers Multistage Attack

Separately, a "fast-paced" spear-phishing campaign that researchers observed in June is delivering a chain of malware that ultimately delivers a backdoor called CBROVER, which supports file download and remote shell execution, the researchers said.

Along the way, malicious .url attachments download and execute other malware, including DOWNBAIT, a first-stage downloader for downloading a decoy document and shellcode component, and PULLBAIT, straightforward shellcode that downloads and executes CBROVER. Trend Micro also has found evidence of Mustang Panda exploiting Microsoft's cloud services for data exfiltration.

The spear-phishing campaign uses decoy documents related to foreign affairs to lure victims into continuing the attack chain. Countries likely targeted in the attacks include Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan, the researchers said.

"The quick turnover of decoy documents and malware samples on the WebDAV server hosted at 16[.]162[.]188[.]93 suggests that Earth Preta is executing highly targeted and time-sensitive operations, focusing on specific countries and industries within APAC region," they wrote.

The researchers included a list of indicators of compromise (IoCs) for the attacks in the post and advise "continuous vigilance" and "updated defensive measures" in the face of increasingly more sophisticated tactics by Mustang Panda and its cohorts. "Earth Preta has remained highly active in APAC," they wrote, "and will likely remain active in the foreseeable future."