, a Chinese-linked threat actor, has been linked to a cyberattack involving an unnamed organization in Myanmar using previously unreported equipment, which underlines the threat actors ‘ ongoing efforts to raise the style and potency of their malware.
This includes updated versions of a well-known backdoor, TONESHELL, two new lateral movement tools, PAKLOG, CorKLOG, and an SplatCloak evasion driver ( EDR) evasion tool, as well as a brand-new lateral movement tool, StarProxy.
In a , Zscaler ThreatLabz researcher Sudeep Singh reported that Mustang Panda’s version of TONESHELL, a backdoor, has been updated with changes to its FakeTLS command-and-control ( C2 ) communication protocol as well as the methods for creating and storing client identifiers.
A state-sponsored risk professional affiliated with China that has been engaged since at least 2012, Mustang Panda is also known as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, and RedDelta.
The organization has a history of using DLL side-loading techniques to deliver the PlugX malware, and is known for its attacks on governments, military installations, minority groups, and non-governmental organizations ( NGOs ) primarily in countries located in East Asia and to a lesser extent in Europe.
But, campaigns managed by Mustang Panda have started to usually offer a unique malware family called , which is designed to save next-stage payloads since late 2022.
Zscaler claimed to have found three fresh malware varieties with varying levels of sophistication.
- a straightforward change shell similar to Variant 1.
- Variant 2, which enables the download of DLLs from the C2 and their execution by injecting the DLL into legitimate processes ( such as svchost ) is available in variant 2. exe )
- Feature 3 has the ability to download files and produce a sub-process to run commands from a distant server using a unique TCP-based protocol.
StarProxy, a new version of Mustang Panda software that uses DLL side-loading to leverage FakeTLS method to proxies visitors and facilitate attacker communications, was created as part of the Mustang Panda release.
” StarProxy allows adversaries to substitute traffic between infected tools and their C2 servers once it is activated.” ” StarProxy uses TCP sockets to connect with the C2 server using the FakeTLS process, encrypting all exchanged information with a proprietary XOR-based encryption algorithm,” Singh said.
Secondly, the device uses command-line quarrels to identify the IP address and interface for communication, enabling hackers to route data through hacked computers.
| StarProxy’s activities |
It is thought that StarProxy is used as a post-compromise application to obtain inner workstations on a network that aren’t exposed directly to the internet.
Two brand-new spyware, PAKLOG and CorKLOG, that are used to track keystrokes and folder data, have also been identified. The former implements resilience mechanisms by creating services or scheduled tasks, and uses a 48-character RC4 essential to store the captured data in an encrypted document.
Both keyloggers lack proprietary data eavesdropping capabilities, meaning they are only there to record keystroke data and store it somewhere, and the threat actor uses various means to transfer it to their infrastructure.
SplatCloak, a Windows core drivers deployed by SplatDropper, completes the latest additions to the Mustang Panda’s malware army and enables it to fly under the radar. It is capable of disabling EDR-related programs implemented by Windows Defender and Kaspersky.
According to Singh,” Mustang Panda demonstrates a determined approach to achieving their goals.” Constant updates, new tools, and layered obfuscation “prolongs the group’s operating security and increases the effectiveness of attacks”
New BRICKSTORM targeting Windows is dropped by UNC5221.
According to French cybersecurity firm NVISO, the disclosure comes as the China-nexus computer spy cluster UNC5221 has been linked to the use of a new version of the BRICKSTORM malware in attacks aimed at Windows environments in Europe since at least 2022.
A Golang backdoor is being used on Linux servers running VMware vCenter to exploit the zero-day vulnerabilities in Ivanti Connect Secure ( CVE-2023-46805 and CVE-2024-21887 ) against the MITRE Corporation.
In April 2024, Google Mandiant stated that it supports the ability to set itself up as a web site, manipulate file systems and directories, do record functions like upload/download, work shell commands, and relay SOCKS messages. ” BRICKSTORM interacts with a hard-coded C2 over WebSockets.”
The newly discovered Windows artifacts, which were also created in Go, give attackers access to file manager and community drilling capabilities through a panel, allowing them to search the document system, edit or delete files, and tunnel network connections for lateral movement.
They are engineered to evade network-level defenses like DNS monitoring, TLS inspection, and geo-blocking, and they also resolve C2 servers using DNS-over-HTTPS ( ).
NVISO claimed that” the Windows samples [ ..] are not equipped with command execution capabilities.” Instead, “agents have been observed using community tunneling capabilities in combination with legitimate credentials to violate well-known protocols like RDP or SMB, resulting in related command execution.”