China-related threat actors known as Mustang Pandas are attributed to cyberattacks targeting unspecified Myanmar organizations with previously unreported tools, highlighting the ongoing efforts by threat actors to improve the refinement and effectiveness of malware.
This includes an updated version of a known backdoor called Toneshell, a new lateral exercise tool called Starproxy, and an endpoint detection and response (EDR) answer driver with two keyloggers called Paklog, Corklog, and Splatcloak.
“Toneshell, the backdoor used by Mustang Panda, has been updated with changes to the Faketls Command-and-Control (C2) communication protocol and how to create and store client identifiers,” Zscaler Threatlabz researcher Sudeep Sineh said in a two-part analysis.
Also known as Basin, Bronze President, Camaro Dragon, Earth Preta, Honey Mite and Red Delta, Mustang Panda is a threat actor sponsored by states that have been in line with China since at least 2012.
It is known to be known for attacks on governments, military groups, minority groups and non-governmental organizations (NGOs) in countries primarily in East Asia, and although not so much in Europe, the group has a history of leveraging DLL sideloading technology to provide Plugx malware.
However, since late 2022, the campaign organized by Mustang Panda has started to frequently deliver a bespoke family of malware called Toneshell, designed to download the next step-by-step payload.
Zscaler said it discovered three new variants of sophisticated malware at different levels –
It acts as a simple reverse shell variant 2 containing the ability to download DLLs from C2, and executes them by injecting DLLs into legitimate processes (svChost.exe) variant 3, by injecting them into variant 3, and executes them by executing them (e.g. download files and create subprocesses that create subprocesses that have been received from remote server via custom TCP-based protocols
The new software associated with Mustang Panda is Starproxy. It was launched via DLL sideload and is designed to utilize the Faketls protocol to proxy traffic and facilitate attacker communication.
“When active, Starproxy allows an attacker to proxy traffic between the infected device and the C2 server. Starproxy accomplishes this by leveraging TCP sockets to communicate with the C2 server via the FAKETLS protocol and encrypting all data exchanged with a custom XOR-based encryption algorithm,” SingH said.
“In addition, the tool uses command line arguments to specify an IP address and port for communication, allowing an attacker to relay data through the compromised machine.”
Star Proxy Activities
Starproxy is believed to be deployed as a post-competitive tool for accessing internal workstations within a network that is not directly exposed to the Internet.
They also identified two new keyloggers, Paklog and Corklog, which are used to monitor keystrokes and clipboard data. The main difference between the two is that the latter stores captured data in an encrypted file using a 48-character RC4 key, and implements a persistence mechanism by creating a service or scheduled task.
Both keyloggers do not have their own data peeling function. This means that it exists only to collect keystroke data and write it to a specific location, and that threat actors use other methods to send it to the infrastructure.
Closing the new addition to Mustang Panda’s malware arsenal is Splatcloak. This is Splatcloak, a Windows kernel driver deployed by Splatdropper, equipped to disable EDR-related routines implemented by Windows Defender and Kaspersky.
“The Mustang Panda demonstrates a calculated approach to achieving your goals,” Singh said. “Continuous updates, new tools, and layered obfuscation extend the operational security of the group and improve the effectiveness of attacks.”
UNC5221 drops new version of BrickStorm targeting Windows
According to the Belgian Cybersecurity Firm Nviso, the disclosure will be made as a China-Nexus Cyber Spionage Cluster named UNC5221 has been linked to the use of a new version of Brickstorm malware in an attack targeting European Windows environments since at least 2022.
Brickstorm is the Golang backdoor first documented in connection with zero-day exploitation of Ivanti Connect Secure Zero-Day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) and deployed to Linux Servers running vmware vcenter.
“It supports the ability to set up as a web server, perform file system and directory operations, perform file operations such as upload/download, execute shell commands, and perform relay socks,” Google Mandiant said in April 2024.
The newly identified Windows artifact written in GO provides attackers with file managers and network tunneling capabilities through panels, allowing them to browse file systems, create or delete files, and delete network connections for horizontal movement.
It is also designed to resolve C2 servers via DNS-over-HTTPS (DOH) and avoid network-level defenses such as DNS monitoring, TLS inspection, and geoblocking.
“Windows Sample [..] “Instead, enemies are being observed using the network tunneling feature to achieve similar command execution, using the network tunneling feature in conjunction with valid credentials to exploit well-known protocols such as RDP and SMB.”
Source link
