09 March 2022

MUSTANG PANDA: Gone Phishing with Refreshed Lures Targeting European Diplomats

Chinese phishing actors consistently targeting EU diplomats

briefcase

  • March 9, 2022
  • 02:02 AM

"The China-aligned group tracked as TA416 (aka Mustang Panda) has been consistently targeting European diplomats since August 2020, with the most recent activity involving refreshed lures to coincide with the Russian invasion of Ukraine.

According to a new report by Proofpoint, TA416 spearheads cyber-espionage operations against the EU, consistently focusing on this long-term role without reaping opportunistic gains.

By keeping their tools and tactics essentially unchanged since 2020 and only refreshing their phishing themes and peripheral components, TA416 has made attribution simple for the analysts.

Timeline of activity

Starting in August 2020, the phishing actors impersonated EU-based organizations to target governments in the continent.

Email impersonating a UN agent
Email impersonating a UN agent (Proofpoint)

The malicious emails used a DropBox URL to deliver a variant of the PlugX malware, which was previously deployed in attacks against Australian organizations.

In November 2021, TA416 added hidden image trackers on emails to validate message openings and follow a more targeted approach in their campaign.

On January 17, 2022, Proofpoint noticed new delivery attempts involving ZIP files that were custom-named to match the target’s interests.

January 2022 phishing email
January 2022 phishing email (Proofpoint)

A change in tactic also occurred at this point, as the ZIP files weren’t fetched from a cloud hosting service but instead leveraged a dropper malware executable.

The four components downloaded this way were the PlugX malware, its loader, the DLL search order hijacker (process loader), and a PDF decoy file.

Finally, on February 28, 2022, the Chinese threat actors were spotted using a compromised diplomat’s address to target other top-ranking officials of NATO countries with lures involving the Russian invasion of Ukraine.

The most recent phishing lure linked to TA416
The most recent phishing lure linked to TA416 (Proofpoint)

The compromised person worked in refugee and migrant services, an area that was recently targeted by Belarusian hackers as well.

Superficial changes

While the tactics, malware drop, installation, and loading methods remain constant across campaigns, Mustang Panda puts some effort into regularly changing the components used.

“The group uses different legitimate PE files to initiate side-loading, as well as a variety of PlugX DLL loaders including the PotPlayer and DocCon versions,” elaborates the Proofpoint report.

“TA416 also uses different variants of the final PlugX payload in which the communication routines are observed to be different when closely analyzed.”

However, too many elements form a common ground between 2020, 2021, and 2022 campaigns, as reflected in the following table.

Common TA416 tactics throughout the years
Common TA416 tactics throughout the years (Proofpoint)

As Proofpoint’s report underlines in conclusion, these superficial variations will continue unabated, especially now that a fresh set of indicators of compromise has been published, so vigilance and good email security practices are advised to all potential targets.

Related Articles:

Google: Russia, China, Belarus state hackers target Ukraine, Europe

Emotet growing slowly but steadily since November resurgence

Google: Chinese hackers target Gmail users affiliated with US govt

Adafruit discloses data leak from ex-employee's GitHub repo

Russia-Ukraine war exploited as lure for malware distribution

No comments:

Iran Focuses on Modern Submarines in Major Naval Expansion.

Iran Focuses on Modern Submarines in Major Naval Expansion. 25 Nov, 2024 - 12:11 Naval News Navy 2024 According to information published by ...