When one of your enemies begins attacking another one of your other enemies, does this mean that your first enemy is now an ally? I will let the philosophers answer this question. A China-linked state-sponsored cyberespionage group has started targeting the Russian military in recent attacks, which aligns with China’s interests in the Russia-Ukraine war. Tracked as Mustang PANDA, Bronze President, RedDelta, HoneyMyte, Red Lichand TA416, the government-backed hacking group previously focused mainly on the Southeast Asian region, with some attacks targeting Europe and the United States.
This threat actor targets non-governmental organizations using Mongolian-themed lures for espionage purposes. In April 2017, researchers observed a previously unattributed actor group with a Chinese nexus targeting a US-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia.
These campaigns involve the use of shared malware like Poison Ivy or PlugX. Recently, analysts observed new activity from Mustang PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, Mustang PANDA actors reused previously-observed legitimate domains to host files.
Over the past several months, however, in line with the escalating tensions between Russia and Ukraine, Mustang PANDA switched to targeting European diplomats with an updated variant of the PlugX backdoor. A recently captured malicious file shows that Mustang Panda has started targeting Russian military personnel close to the Chinese border.
The malicious file has the Russian name of “Blagoveshchensk - Blagoveshchensk Border Detachment,” which uses a PDF icon for credibility, but has an EXE extension. Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This connection suggests that the filename was chosen to target officials or military personnel familiar with the region.
When launched, the malicious file fetches four files from a staging server, including a decoy document written in English, a legitimate executable from UK-based Global Graphics Software Ltd, a malicious DLL downloader, and an encrypted payload, which the researchers believe is the PlugX malware. The decoy document, which appears legitimate, discusses the current situation in countries around Belarus (Lithuania, Latvia, and Poland), as well as the sanctions that the European Union (EU) has imposed on Belarus starting in March 2022.
Investigators point out that the remaining three files are typically used by Mustang PANDA to execute PlugX on the victim’s machine, via DLL search order hijacking. Once installed on a victim’s machine, PlugX allows attackers to harvest and exfiltrate sensitive information, download and upload files, and execute a remote command shell.
The staging server of the malicious file connects to what was previously used in attacks on European diplomats, as well as in another campaign attributed to the cyberespionage group, which can also be linked to Mustang PANDA activity from 2020. Bronze President appears to be changing its targeting in response to the political situation in Europe and the war in Ukraine. […] Targeting Russian-speaking users and European entities suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and has been tracking both Chinese and Russian hackers for years. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings