Myanmar presidential office website has been a target of a supply chain attack in which a threat actor injected malware inside a localized Myanmar font package available for download on the site’s front page, cybersecurity researchers at Slovak security firm ESET revealed.
The intrusion was discovered on June 2.
“In the archive, attackers added a Cobalt Strike loader [named] Acrobat.dll, that loads a Cobalt Strike shellcode,” ESET explained in a series of tweets.
The researchers were able to identify the loader’s command and control server (95.217.1[.]81). They said the loader shows similarities with other malware samples spread as attachments in spear-phishing emails used in past attacks against Myanmar targets.
These spear-phishing campaigns mainly targeted Myanmar, ESET said. The cybersecurity firm added that some findings, namely a timestamp in a .lnk file, suggest the Mustang Panda APT’s involvement in the recent attack, but at present they cannot confirm attribution.
Mustang Panda, also referred to as TA416 and RedDelta, has a history of hacking and espionage campaigns targeting organizations around the world and is known for the targeting of entities connected to the diplomatic relations between the Vatican and the Chinese Communist Party, along with entities in Myanmar.
Last year, researchers at Proofpoint discovered a Mustang Panda’s campaign against targets involved in negotiations about the operations of the Catholic Church in China. In the campaign the threat actor was observed using an updated toolset in order to evade detection, including a new version of the RedDelta PlugX malware written in Golang.