Zscaler Identifies New Mustang Panda Cyber Activity

Zscaler Identifies New Mustang Panda Cyber Activity

Following a recent US-led court-authorised operation that removed malware from over 4,200 infected networks, new activity has emerged from the same Chinese state-sponsored threat group called Mustang Panda (also known as Twill Typhoon).

The Zscaler ThreatLabz team has discovered new activity associated with Mustang Panda, originating from two machines from a targeted organisation in Myanmar. This research led to the discovery of new ToneShell variants and several previously undocumented tools.

Mustang Panda, a China-sponsored espionage group, traditionally targets government-related entities, military entities, minority groups, and non-governmental organisations, primarily in countries located in East Asia. However, they have also been known to target entities in Europe.

Key takeaways from the Zscaler findings include:

  • ToneShell, a backdoor used by Mustang Panda, has been updated with changes to its FakeTLS command-and-control communication protocol as well as to the methods for creating and storing client identifiers;

  • ThreatLabz discovered a new lateral movement tool used by Mustang Panda that we have named StarProxy, which leverages the FakeTLS protocol to proxy traffic and facilitate attacker communications;

  • Mustang Panda remains active in targeting organisations and individuals in Myanmar; and

  • Mustang Panda employs DLL sideloading techniques, typically bundling malicious tools inside RAR archives paired with legitimate, signed binaries.

In addition to the new ToneShell variants and StarProxy, Zscaler ThreatLabz discovered two new keyloggers used by Mustang Panda that we have named PAKLOG and CorKLOG as well as an EDR evasion driver (SplatCloak) on Mustang Panda’s staging server.

ThreatLabz further points out that:

  • Mustang Panda continues to create new tooling in targeted attacks;

  • PAKLOG is a keylogger that the group uses to monitor keystrokes and clipboard data and employs a custom character encoding scheme to obfuscate the log data;

  • CorKLOG is also a keylogger deployed by Mustang Panda that uses a 48-character-long RC4 key to encrypt the contents of the key logger capture file. Persistence is maintained by creating services or scheduled tasks; and

  • SplatCloak is a tool used by Mustang Panda that disables kernel-level notification callbacks for four Windows Defender-related drivers and Kaspersky drivers. The developers implemented code obfuscation techniques, including control flow flattening and mixed boolean arithmetic, to hinder analysis.




Source link