The China-linked Advanced Persistent Threat (APT) group known as Mustang Panda has recently upgraded its toolkit, deploying a new custom backdoor named MQsTTang. This development comes as the group intensifies its cyberattacks across Europe, Asia, and Australia. Mustang Panda, also referred to as Camaro Dragon, RedDelta, or Bronze President, has been active since at least 2012, targeting a wide range of entities including government organizations, think tanks, NGOs, and religious institutions.

Recent Campaigns and Targeted Regions

Historically, Mustang Panda has focused its efforts on American and European targets, but recent campaigns have shifted towards Asian countries such as Taiwan, Vietnam, and Malaysia. In 2022, the group utilized European Union reports on the Ukraine conflict as lures to initiate malware infections. In February 2024, Trend Micro researchers noted the group's activities in Asian regions, highlighting their persistent threat.

New Tools and Techniques

The Zscaler ThreatLabz team has identified new Mustang Panda activities originating from Myanmar, revealing several previously undocumented tools. These include variants of the ToneShell backdoor, keyloggers like StarProxy, Paklog, and Corklog, and the SplatCloak EDR evasion driver. The APT group employs DLL sideloading, a technique that involves packaging malicious libraries with vulnerable executables to evade detection.

  • Variant 1: Archive cf.rar contains mrender.exe and libcef.dll.
  • Variant 2: Archive ru.zip contains FastVD.exe and LogMeIn.dll.
  • Variant 3: Archive zz.rar contains gpgconf.exe and libgcrypt-20.dll.

Key Features of the ToneShell Backdoor Variants

Each variant of the ToneShell backdoor employs unique methods to enhance stealth and functionality. These adaptations include:

  • GUID Generation: Each variant generates a unique identifier for the infected machine using different seed methods.
  • Rolling XOR Key: Used for encrypting communications with the command-and-control (C2) server, with varying key sizes.
  • FakeTLS Headers: Mimic legitimate TLS traffic to evade network-based detections.
  • C2 Commands: Support a range of commands, including file operations and reverse shell creation, for flexible control.

StarProxy: A New Tool for Lateral Movement

StarProxy, a newly identified tool, facilitates lateral movement within compromised networks. Discovered within a RAR archive containing IsoBurner.exe and a malicious DLL (StarBurn.dll), StarProxy uses DLL sideloading to activate. It proxies traffic between infected devices and C2 servers using TCP sockets and FakeTLS, encrypting data with a custom XOR-based algorithm.

The link has been copied!