Cybersecurity researchers have unearthed a new campaign by advanced persistent threat (APT) group Mustang Panda targeting European and Russian organizations using topical spear-phishing lures linked to the war in Ukraine.
Mustang Panda, also known as RedDelta, Bronze President, or TA416 has been active since at least 2012 and over the years has targeted entities in EU member states, the United States and Asian countries where China has interests. The targets have included diplomatic organizations, non-governmental organizations (NGOs), religious organizations, telecommunication firms, and political activists.
"Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves," Cisco Talos said in a new report published this week.
The hacking group is known for designing its phishing lures based on current scenarios that might be of interest to its targets. These have included the COVID-19 pandemic, international summits, and political topics. The attacks observed this year by researchers from Cisco Talos and several other security firms used reports from EU institutions regarding the security situation in Europe both before and after Russia's invasion of Ukraine.
Mustang Panda modus operandi
The PlugX RAT, also known as KorPlug, continues to remain the Mustang Panda's preferred spying tool. is Mustang Panda’s malware of choice. The threat actor has used multiple variants of it for several years, together with other threat actors originating from China.
Recent attack campaigns spotted this year have primarily phishing messages containing malicious lures masquerading as official European Union reports on the ongoing conflict in Ukraine or Ukrainian government reports, both of which download malware onto infected devices.
A similar technique is also used to target various entities in the U.S. and several Asian countries like Myanmar, Hong Kong, Japan, and Taiwan.
The researchers also spotted Mustang Panda distributing a malicious file containing PlugX with a Russian name referencing the Blagoveshchensk Border Guard Detachment. But similar attacks identified towards the end of March 2022 show that the actors are upgrading their tactics by minimizing the remote URLs used to obtain different components of the infection chain.
Other than PlugX, infection chains utilized by the APT group have involved the deployment of custom stagers, reverse shells, Meterpreter-based shellcode, and Cobalt Strike, all of which are used to establish remote access to their targets with the intention of conducting espionage and information theft.
"By using summit- and conference-themed lures in Asia and Europe, this attacker aims to gain as much long-term access as possible to conduct espionage and information theft," Talos researchers added.
