A China-linked cyber-espionage group has launched a series of spear-phishing attacks on the government, academic, foundations, and research sectors across the world.
Known as Mustang Panda, Earth Preta, or Bronze President, the threat is believed to have been conducting cyber operations since at least July 2018. The group is known for its use of malware such as China Chopper and PlugX to steal data from compromised environments.
In the most recent campaign, which has been going on since March 2022, Mustang Panda has been targeting entities in the countries all over the globe, including Myanmar, Australia, the Philippines, Japan and Taiwan. The attacks involve spear-phishing emails spread through fake Google accounts.
When opened, the archive files display a lure document to the victim, while loading the malware in the background using the DLL side-loading technique. This ultimately leads to the delivery of the PUBLOAD stager, the TONEINS trojan (acts as an installer TONESHELL), and the TONESHELL backdoor, which supports various functions, including file upload, file download, file execution, and lateral movement.
“In addition, the actors leverage different techniques for evading detection and analysis, like code obfuscation and custom exception handlers. We also found that the senders of the spear-phishing emails and the owners of Google Drive links are the same. Based on the sample documents that were used for luring the victims, we also believe that the attackers were able to conduct research and, potentially, prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts,” Trend Micro researchers wrote.
Trend Micro notes that Mustang Panda is constantly updating its toolsets and further expanding its capabilities, with the group’s main objective being the countries in Asia.