(CrowdStrike) In April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX. Recently, Falcon Intelligence observed new activity from Mustang Panda, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, Mustang Panda actors reused previously-observed legitimate domains to host files. Also see {{RedDelta}}.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
Actor: Mustang Panda, Bronze President
Names: Mustang Panda, Bronze President, TEMP.Hex, HoneyMyte, Red Lich, Earth Preta, Camaro Dragon
Country: China
Sponsor: State-sponsored
Motivation: Information theft and espionage
First-seen: 2012
Description: (CrowdStrike) In April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX. Recently, Falcon Intelligence observed new activity from Mustang Panda, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, Mustang Panda actors reused previously-observed legitimate domains to host files. Also see {{RedDelta}}.
Observed-sectors: Aviation
Observed-sectors: Education
Observed-sectors: Government
Observed-sectors: NGOs
Observed-sectors: Think Tanks
Observed-sectors: Telecommunications
Observed-countries: Australia
Observed-countries: Bangladesh
Observed-countries: Belgium
Observed-countries: Bulgaria
Observed-countries: China
Observed-countries: Cyprus
Observed-countries: Czech
Observed-countries: Ethiopia
Observed-countries: France
Observed-countries: Germany
Observed-countries: Greece
Observed-countries: Hong Kong
Observed-countries: Hungary
Observed-countries: India
Observed-countries: Indonesia
Observed-countries: Japan
Observed-countries: Mongolia
Observed-countries: Myanmar
Observed-countries: Nepal
Observed-countries: Pakistan
Observed-countries: Philippines
Observed-countries: Russia
Observed-countries: Singapore
Observed-countries: Slovakia
Observed-countries: South Africa
Observed-countries: South Korea
Observed-countries: South Sudan
Observed-countries: Sweden
Observed-countries: Taiwan
Observed-countries: Thailand
Observed-countries: UK
Observed-countries: USA
Observed-countries: Vietnam
Observed-countries: UN
Tools: AdFind
Tools: China Chopper
Tools: Cobalt Strike
Tools: Hodur
Tools: HopperTick
Tools: nbtscan
Tools: MQsTTang
Tools: NetSess
Tools: Netview
Tools: nmap
Tools: Orat
Tools: Poison Ivy
Tools: PlugX
Tools: PowerView
Tools: PUBLOAD
Tools: PVE Find AD Users
Tools: RCSession
Tools: TeamViewer
Tools: TinyNote
Tools: TONEINS
Tools: TONESHELL
Tools: WmiExec
Tools: WispRider
Operations: 2014
Operations: Secureworks Counter Threat Unit (CTU) researchers have observed BRONZE PRESIDENT activity since mid-2018 but identified artifacts suggesting that the threat actors may have been conducting network intrusions as far back as 2014. https://www.secureworks.com/research/bronze-president-targets-ngos
Operations: 2019-08
Operations: In mid-August 2019, the Anomali Threat Research Team discovered suspicious “.lnk” files during routine intelligence collection. While the distribution method of these documents cannot be confirmed at this time, it is likely that spearphishing is being utilized because it aligns with Mustang Panda’s TTPs, and it is a common tactic used amongst APT actors. https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations#When:17:14:00Z
Operations: 2020-01
Operations: Avira’s Advanced Threat Research team discovered a new version of PlugX from the Mustang Panda APT that is used to spy on some targets in Hong Kong and Vietnam. The way that the APT actor infects the target, and launches the malicious payload is similar to previous versions—but with some differences. https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
Operations: 2020-03
Operations: Vietnamese cyber-security firm VinCSS detected a Chinese state-sponsored hacking group (codenamed Mustang Panda) spreading emails with a RAR file attachment purporting to carry a message about the coronavirus outbreak from the Vietnamese Prime Minister. https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html
Operations: 2020-03
Operations: ATR identified that the Higaisa and Mustang Panda Advanced Persistent Threat (APT) groups have been utilizing Coronavirus-themed lures in their campaigns. https://www.anomali.com/blog/covid-19-themes-are-being-utilized-by-threat-actors-of-varying-sophistication#When:14:00:00Z
Operations: 2021-03
Operations: Indonesian intelligence agency compromised in suspected Chinese hack https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/
Operations: 2021-08
Operations: Mustang Panda’s Hodur: Old tricks, new Korplug variant https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/
Operations: 2022-02
Operations: Mustang Panda or Temp.Hex, a China-based threat actor, targeted European entities with lures related to the Ukrainian invasion. https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/
Operations: 2022-02
Operations: Mustang Panda deploys a new wave of malware targeting Europe https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html
Operations: 2022-02
Operations: Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets
Operations: 2022-03
Operations: BRONZE PRESIDENT Targets Russian Speakers with Updated PlugX https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx
Operations: 2022-03
Operations: Earth Preta Spear-Phishing Governments Worldwide https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html
Operations: 2022-06
Operations: BRONZE PRESIDENT Targets Government Officials https://www.secureworks.com/blog/bronze-president-targets-government-officials
Operations: 2022
Operations: Earth Preta’s Cyberespionage Campaign Hits Over 200 https://www.trendmicro.com/en_us/research/23/c/earth-preta-cyberespionage-campaign-hits-over-200.html
Operations: 2022-10
Operations: Pack it Secretly: Earth Preta’s Updated Stealthy Strategies https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html
Operations: 2022-12
Operations: Operation “SmugX” SmugX: Unveiling a Chinese-Based APT Operation Targeting European Governmental Entities: Check Point Research Exposes a Shifting Trend https://blog.checkpoint.com/securing-user-and-access/smugx-unveiling-a-chinese-based-apt-operation-targeting-european-governmental-entities-check-point-research-exposes-a-shifting-trend/
Operations: 2023-01
Operations: MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/
Operations: 2023-01
Operations: Malware Spotlight: Camaro Dragon’s TinyNote Backdoor https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/
Operations: 2023 Early
Operations: Beyond the Horizon: Traveling the World on Camaro Dragon’s USB Flash Drives https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/
Operations: 2023-04
Operations: New Mustang Panda’s campaing against Australia https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/
Operations: 2023-05
Operations: Check Point Research reveals a malicious firmware implant for TP-Link routers, linked to Chinese APT group https://blog.checkpoint.com/security/check-point-research-reveals-a-malicious-firmware-implant-for-tp-link-routers-linked-to-chinese-apt-group/
Information: https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
Information: https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html
Mitre-attack: https://attack.mitre.org/groups/G0129/
Last-card-change: 2023-09-05
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1598.003 PHISHING FOR INFORMATION : SPEARPHISHING LINK mustang panda has delivered web bugs to profile their intended targets. | T1583.001 ACQUIRE INFRASTRUCTURE : DOMAINS mustang panda have acquired c2 domains prior to operations. T1585.002 ESTABLISH ACCOUNTS : EMAIL ACCOUNTS mustang panda has leveraged the legitimate email marketing service smtp2go for phishing campaigns. T1608 STAGE CAPABILITIES mustang panda has used servers under their control to validate tracking pixels sent to phishing victims. T1608.001 STAGE CAPABILITIES : UPLOAD MALWARE mustang panda has hosted malicious payloads on dropbox including plugx. | T1566.001 PHISHING : SPEARPHISHING ATTACHMENT mustang panda has used spearphishing attachments to deliver initial access payloads. T1566.002 PHISHING : SPEARPHISHING LINK mustang panda has delivered malicious links to their intended targets. T1091 REPLICATION THROUGH REMOVABLE MEDIA mustang panda has used a customized plugx variant which could spread through usb connections. | T1059.001 COMMAND AND SCRIPTING INTERPRETER : POWERSHELL mustang panda has used malicious powershell scripts to enable execution. T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL mustang panda has executed hta files via cmd.exe, and used batch scripts for collection. T1059.005 COMMAND AND SCRIPTING INTERPRETER : VISUAL BASIC mustang panda has embedded vbscript components in lnk files to download additional files and automate collection. T1203 EXPLOITATION FOR CLIENT EXECUTION mustang panda has exploited cve-2017-0199 in microsoft word to execute code. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK mustang panda has created a scheduled task to execute additional malicious software, as well as maintain persistence. T1204.001 USER EXECUTION : MALICIOUS LINK mustang panda has sent malicious links including links directing victims to a google drive folder. T1204.002 USER EXECUTION : MALICIOUS FILE mustang panda has sent malicious files requiring direct victim interaction to execute. | T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER mustang panda has created the registry key hkey_local_machine\software\wow6432node\microsoft\windows\currentversion\run\adobelmdyu to maintain persistence. T1546.003 EVENT TRIGGERED EXECUTION : WINDOWS MANAGEMENT INSTRUMENTATION EVENT SUBSCRIPTION mustang panda's custom orat tool uses a wmi event consumer to maintain persistence. T1574.002 HIJACK EXECUTION FLOW : DLL SIDE-LOADING mustang panda has used a legitimately signed executable to execute a malicious payload within a dll file. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK mustang panda has created a scheduled task to execute additional malicious software, as well as maintain persistence. | T1547.001 BOOT OR LOGON AUTOSTART EXECUTION : REGISTRY RUN KEYS / STARTUP FOLDER mustang panda has created the registry key hkey_local_machine\software\wow6432node\microsoft\windows\currentversion\run\adobelmdyu to maintain persistence. T1546.003 EVENT TRIGGERED EXECUTION : WINDOWS MANAGEMENT INSTRUMENTATION EVENT SUBSCRIPTION mustang panda's custom orat tool uses a wmi event consumer to maintain persistence. T1574.002 HIJACK EXECUTION FLOW : DLL SIDE-LOADING mustang panda has used a legitimately signed executable to execute a malicious payload within a dll file. T1053.005 SCHEDULED TASK/JOB : SCHEDULED TASK mustang panda has created a scheduled task to execute additional malicious software, as well as maintain persistence. | T1564.001 HIDE ARTIFACTS : HIDDEN FILES AND DIRECTORIES mustang panda's plugx variant has created a hidden folder on usb drives named recycle.bin to store malicious executables and collected data. T1574.002 HIJACK EXECUTION FLOW : DLL SIDE-LOADING mustang panda has used a legitimately signed executable to execute a malicious payload within a dll file. T1070.004 INDICATOR REMOVAL : FILE DELETION mustang panda will delete their tools and files, and kill processes after their objectives are reached. T1036.005 MASQUERADING : MATCH LEGITIMATE NAME OR LOCATION mustang panda has used names like adobeupdate.dat and potplayerdb.dat to disguise plugx, and a file named onedrive.exe to load a cobalt strike payload. T1036.007 MASQUERADING : DOUBLE FILE EXTENSION mustang panda has used an additional filename extension to hide the true file type. T1027 OBFUSCATED FILES OR INFORMATION mustang panda has delivered initial payloads hidden using archives and encoding measures. T1027.001 OBFUSCATED FILES OR INFORMATION : BINARY PADDING mustang panda has used junk code within their dll files to hinder analysis. T1218.004 SYSTEM BINARY PROXY EXECUTION : INSTALLUTIL mustang panda has used installutil.exe to execute a malicious beacon stager. T1218.005 SYSTEM BINARY PROXY EXECUTION : MSHTA mustang panda has used mshta.exe to launch collection scripts. | T1003.003 OS CREDENTIAL DUMPING : NTDS mustang panda has used vssadmin to create a volume shadow copy and retrieve the ntds.dit file. mustang panda has also used reg save on the system file registry location to help extract the ntds.dit file. | T1083 FILE AND DIRECTORY DISCOVERY mustang panda has searched the entire target system for doc, docx, ppt, pptx, xls, xlsx, and pdf files. T1518 SOFTWARE DISCOVERY mustang panda has searched the victim system for the installutil.exe program and its version. T1016 SYSTEM NETWORK CONFIGURATION DISCOVERY mustang panda has used ipconfig and arp to determine network configuration information. T1049 SYSTEM NETWORK CONNECTIONS DISCOVERY mustang panda has used netstat -ano to determine network connection information. | T1091 REPLICATION THROUGH REMOVABLE MEDIA mustang panda has used a customized plugx variant which could spread through usb connections. | T1560.001 ARCHIVE COLLECTED DATA : ARCHIVE VIA UTILITY mustang panda has used rar to create password-protected archives of collected documents prior to exfiltration. T1560.003 ARCHIVE COLLECTED DATA : ARCHIVE VIA CUSTOM METHOD mustang panda has encrypted documents with rc4 prior to exfiltration. T1119 AUTOMATED COLLECTION mustang panda used custom batch scripts to collect files automatically from a targeted system. T1074.001 DATA STAGED : LOCAL DATA STAGING mustang panda has stored collected credential files in c:\windows\temp prior to exfiltration. mustang panda has also stored documents for exfiltration in a hidden folder on usb drives. | T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS mustang panda has communicated with its c2 via http post requests. T1573.001 ENCRYPTED CHANNEL : SYMMETRIC CRYPTOGRAPHY mustang panda has encrypted c2 communications with rc4. T1105 INGRESS TOOL TRANSFER mustang panda has downloaded additional executables following the initial infection stage. | T1052.001 EXFILTRATION OVER PHYSICAL MEDIUM : EXFILTRATION OVER USB mustang panda has used a customized plugx variant which could exfiltrate documents from air-gapped networks. |