3 June 2021

Supply chain attack targets Myanmar presidential office website


Supply chain attack targets Myanmar presidential office website

Myanmar presidential office website has been a target of a supply chain attack in which a threat actor injected malware inside a localized Myanmar font package available for download on the site’s front page, cybersecurity researchers at Slovak security firm ESET revealed.

The intrusion was discovered on June 2.

“In the archive, attackers added a Cobalt Strike loader [named] Acrobat.dll, that loads a Cobalt Strike shellcode,” ESET explained in a series of tweets.

The researchers were able to identify the loader’s command and control server (95.217.1[.]81). They said the loader shows similarities with other malware samples spread as attachments in spear-phishing emails used in past attacks against Myanmar targets.

These spear-phishing campaigns mainly targeted Myanmar, ESET said. The cybersecurity firm added that some findings, namely a timestamp in a .lnk file, suggest the Mustang Panda APT’s involvement in the recent attack, but at present they cannot confirm attribution.

Mustang Panda, also referred to as TA416 and RedDelta, has a history of hacking and espionage campaigns targeting organizations around the world and is known for the targeting of entities connected to the diplomatic relations between the Vatican and the Chinese Communist Party, along with entities in Myanmar.

Last year, researchers at Proofpoint discovered a Mustang Panda’s campaign against targets involved in negotiations about the operations of the Catholic Church in China. In the campaign the threat actor was observed using an updated toolset in order to evade detection, including a new version of the RedDelta PlugX malware written in Golang.


Back to the list

Latest Posts

Cyber Security Week In Review: December 1, 2023

Cyber Security Week In Review: December 1, 2023

The world in brief: Apple, Google fix WebKit, Chrome zero-days, Qlik Sense bugs exploited by Cactus ransomware, and more.
1 December 2023
New GoTitan botnet exploits recently patched Apache ActiveMQ flaw

New GoTitan botnet exploits recently patched Apache ActiveMQ flaw

GoTitan is designed for launching DDoS attacks via protocols such as HTTP, UDP, TCP, and TLS.
30 November 2023
US sanctions Sindbad crypto mixer allegedly used by North Korea’s Lazarus hackers

US sanctions Sindbad crypto mixer allegedly used by North Korea’s Lazarus hackers

The authorities described the service as “a key money-laundering tool” of Lazarus.
30 November 2023