China APT group using Russia invasion, COVID-19 in phishing attacks

Mustang Panda deploys variant of Korplug malware to target European officials and ISPs


A China-based threat group is likely running a month-long campaign using a variant of the Korplug malware and targeting European diplomats, internet service providers (ISPs) and research institutions via phishing lures that refer to Russia's invasion of Ukraine and COVID-19 travel restrictions.

The ongoing campaign was first seen in August 2021 and is being tied to Mustang Panda – a Chinese APT unit also known as TA416, RedDelta and PKPLUG – due to similar code and common tactics, techniques and procedures used by the group in the past, according to researchers with the cybersecurity firm ESET.

Mustang Panda is known for targeting governmental entities and non-governmental organizations (NGOs), with most of its victims being in East and Southeast Asia.

It also was responsible for a campaign in 2020 that targeted the Vatican, ESET researchers wrote in a blog post this month. In the most recent campaign, Mustang Panda was using a Korplug variant it is calling "Hodur," which resembles another variant uncovered by Palo Alto Network's Unit 42 threat intelligence unit that was dubbed "Thor."

In Norse mythology, Hodur is Thor's blind half-brother, tricked by the god Loki into killing their half-brother Baldr.

The decoy documents used as phishing lures by Mustang Panda for Hodur not only refer to current events occurring in Europe but also are frequently updated, the researchers wrote. More than 3 million people have fled Ukraine to neighboring borders to escape the violence and one of the file names used in fraudulent document refers to the "situation at the EU borders with Ukraine."

In another decoy, it refers to a real document on the European Council's website, showing that the advanced persistent threat (APT) group "is following current affairs and is able to successfully and swiftly react to them," ESET wrote.

Entities in eight countries have been targeted in the Hodur campaign: Greece, Russia, Cyprus, Vietnam, Myanmar, South Africa, South Sudan and Mongolia, a frequent target of Mustang Panda.

"While we haven't been able to identify the verticals of all victims, this campaign seems to have the same targeting objectives as other Mustang Panda campaigns," the researchers wrote. "Following the APT's typical victimology, most victims are located in East and Southeast Asia, along with some in European and African countries. According to ESET telemetry, the vast majority of targets are located in Mongolia and Vietnam, followed by Myanmar, with only a few in the other affected countries."

Researchers with cybersecurity firm Proofpoint referred to the same campaign in a report earlier this month, noting the campaign by the threat group – which they call TA146 – is part of a larger trend among cybercriminals to profit off the fallout from Russia's war against Ukraine.

The threat group often uses custom loaders for shared malware – such as Cobalt Strike, Poison Ivy and Korplug – in its campaigns. In the past it has also created its own Korplug variants. Mustang Panda also uses techniques designed to thwart analysis and obfuscate how the malware works.

Kroplug remote access trojan (RAT) and variants have been around for about a decade and were used by a number of Chinese threat groups. ESET researchers said that despite the new Hodur variant and custom loaders, Mustang Panda is still leveraging DLL side-loading to evade detection. At the same time, the group is using even more anti-analysis techniques and obfuscation throughout the attack process.

The decoy documents are designed to entice victims to open them. Doing so opens the pathway for a malicious file, an encrypted Korplug file and an executable to land in the targeted system. The Korplug Hodur variant creates a backdoor and messages back to a command-and-control (C2) server for orders.

"Korplug (also known as PlugX) is a RAT used by multiple APT groups," ESET researchers wrote. "In spite of it being so widely used, or perhaps because of it, few reports extensively describe its commands and the data it exfiltrates. Its functionality is not constant between variants, but there does seem to exist a significant overlap in the list of commands between the version we analyzed and other sources."

The researchers expect Mustang Panda to continue to evolve its operations, noting how quickly it can react to current events, such as an EU regulation regarding COVID-19 that was used as a decoy two weeks after it came out. ESET wrote that "this group also demonstrates an ability to iteratively improve its tools, including its signature use of trident downloaders to deploy Korplug." ®

Narrower topics


Other stories you might like

  • Nothing says 2022 quite like this remote-controlled machine gun drone
    GNOM is small, but packs a mighty 7.62mm punch

    The latest drone headed to Ukraine's front lines isn't getting there by air. This one powers over rough terrain, armed with a 7.62mm tank machine gun.

    The GNOM (pronounced gnome), designed and built by a company called Temerland, based in Zaporizhzhia, won't be going far either. Next week it's scheduled to begin combat trials in its home city, which sits in southeastern Ukraine and has faced periods of rocket attacks and more since the beginning of the war.

    Measuring just under two feet in length, a couple inches less in width (57cm L х 60cm W x 38cm H), and weighing around 110lbs (50kg), GNOM is small like its namesake. It's also designed to operate quietly, with an all-electric motor that drives its 4x4 wheels. This particular model forgoes stealth in favor of a machine gun, but Temerland said it's quiet enough to "conduct covert surveillance using a circular survey camera on a telescopic mast."

    Continue reading
  • Voicemail phishing emails steal Microsoft credentials
    As always, check that O365 login page is actually O365

    Someone is trying to steal people's Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.

    This email campaign was detected in May and is ongoing, according to researchers at Zscaler's ThreatLabz, and is similar to phishing messages sent a couple of years ago.

    This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.

    Continue reading
  • Behold this drone-dropping rifle with two-mile range
    Confuses rather than destroys unmanned aerials to better bring back intel, says Ukrainian designer

    What's said to be a Ukrainian-made long-range anti-drone rifle is one of the latest weapons to emerge from Russia's ongoing invasion of its neighbor.

    The Antidron KVS G-6 is manufactured by Kvertus Technology, in the western Ukraine region of Ivano-Frankivsk, whose capital of the same name has twice been subjected to Russian bombings during the war. Like other drone-dropping equipment, we're told it uses radio signals to interrupt control, remotely disabling them, and it reportedly has an impressive 3.5 km (2.17 miles) range.

    "We are not damaging the drone. With communication lost, it just loses coordination and doesn't know where to go. The drone lands where it is jammed, or can be carried away by the wind because it's uncontrollable,"  Kvertus' director of technology Yaroslav Filimonov said. Because the downed drones are unharmed, they give Ukrainian soldiers recovering them a wealth of potential intelligence, he added.  

    Continue reading

Biting the hand that feeds IT © 1998–2022