A Chinese-linked hacker group called Mustang Panda And been connected to a cyber attack targeting a government agency in the Philippines in the midst of growing tensions between the two countries over the dispute in the South China Sea.
What is known about the Mustang Panda hacker group and this attack
Palo Alto Networks Unit 42 attributed the origin of this attack to ben three campaigns in August 2023focusing primarily on organizations in the South Pacific.
“The campaigns exploited legitimate software, including Solid PDF Creator and SmadavProtect (an Indonesia-based antivirus solution), to upload malicious files“, has declared the company. “The perpetrators of the threats [informatiche] they also creatively configured the malware for pretend to be legitimate Microsoft traffic for command and control (C2) connections“.
The Mustang Panda group, also known as Bronze President, Camaro Dragon, Earth Preta, RedDelta and Stately Taurus, It is assessed as a Chinese Advanced Persistent Threat (APT) that has been active since at least 2012, orchestrating Cyber espionage campaigns targeting non-governmental organizations (NGOs) and government entities in North America, Europe and Asia.
As of late September 2023, Unit 42 has also shown how this hacker group is involved in other targeted attacks to an unspecified Southeast Asian government to deploy a variant of a backdoor called TONESHELL.
The latest campaigns leverage spear-phishing emails to deliver a malicious ZIP archive file that contains a dynamic link library (DLL) fraudulent which is launched using a technique called DLL side-loading. The DLL then establishes contact with a remote server.
It is believed that the government body of the Philippines was likely compromised in the five-day period between August 10 and 15, 2023.
Using SmadavProtect is a known tactic adopted by Mustang Panda in recent months, having distributed malware specifically designed to evade the security solution.
“Stately Taurus continues to demonstrate its ability to conduct persistent cyber espionage operations as one of China’s most active APTs“said the researchers. “These operations target a variety of entities globally that align with geopolitical topics of interest to the Chinese government.”
The disclosure comes as a South Korean APT hacker group called Higaisa has been discovered targeting Chinese users through phishing sites which imitate well-known software applications such as OpenVPN.
“Once executed, the installer drops and executes Rust-based malware on the system, subsequently activating a shellcode“, has declared Cyble late last month. “The shellcode performs anti-debugging and decryption operations. It then establishes an encrypted command and control (C&C) communication with a remote threat actor (TA)“.
Other cases similar to Mustang Panda
This cyber attack is part of a series of similar cases that have occurred in the past, in which some hackers or hacking groups sent by some state they targeted government entities or organizations amid tense geopolitical contexts.
For example, in 2015, the Chinese hacker group APT28, also known as Fancy Bear, was implicated in cyber attacks targeting government institutions and non-governmental organizations in various parts of the world and similarly, in 2017, it is emerged that the Russian hacker group APT29, or Cozy Bear, had orchestrated cyber espionage operations against government targets.
These cases highlight the growing complexity and involvement of government-mandated hackers in the global cyber threat landscape.
#Mustang #Panda #Chinese #hacker #group #attacks #Philippines