According to Trend Micro’s report, the primary targets of the phishing attacks, between May and October 2022 included entities of countries of the Asia Pacific region like Myanmar, Australia, The Philippines, Japan, and Taiwan.
Mustang Panda, also known as Bronze President, Earth Preta, HoneyMyte, or Red Lich, is an espionage threat actor based in China. The group is said to be active since July 2018 and is known for utilizing malware like China Chopper and PlugX in order to obtain data illegally.
Attributes of the Phishing Attack
The attacks involve spear-phishing emails and messages distributed via Google accounts. The fraudulent emails enticed target users, deceiving them into downloading malicious custom malware through the Google drive links.
During the investigation, researchers found that Mustang Panda used messages consisting of geopolitical subjects, with around 84% of the attacks being targeted at governmental/ legal organizations.
The attached link apparently directed the target users to a Google Drive or Dropbox folder, in order to evade suspicion. Furthermore, the link directed users to download RAR, ZIP, and JAR compressed files that may include malware variants like ToneShell, Tonelns, and Pubload.
"Earth Preta abused fake Google accounts to distribute the malware via spear-phishing emails, initially stored in an archive file (such as RAR/ZIP/JAR) and distributed through Google Drive links," says researchers Nick Dai, Vickie Su, and Sunny Lu.
Although the hackers utilized a variety of malware-loading methods, the process mainly required DLL side-loading once the target ran the executable contained in the archives.
“In addition, the actors leverage different techniques for evading detection and analysis, like code obfuscation and custom exception handlers. We also found that the senders of the spear-phishing emails and the owners of Google Drive links are the same. Based on the sample documents that were used for luring the victims, we also believe that the attackers were able to conduct research and, potentially, prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts,” explained Trend Micro researchers. "Once the group has infiltrated a targeted victim's systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions. This strategy largely broadens the affected scope in the region involved."