The Chinese-related threat actor known as the Mustang Panda is attributed to a new cyber-espionage action directed against the Tibetan community.
According to IBM X-Force, topics related to Tibet have been leveraged, such as the 9th World Parliament’s Treaty of Tibet (WPCT), China’s Education Policy (TAR) in the Tibetan Autonomous Region (TAR), and recently published books.
The tech company’s cybersecurity division observed the campaign earlier this month, saying the attacks would lead to the deployment of known Mustang Panda malware called Pubload. Tracking a threat actor under the name hive0154.
The attack chain uses Tibetan-themed lures to distribute malicious archives containing benign Microsoft files, and opens executables that disguise articles recreated by Tibetan websites and WPCT photos as documents.
As observed in previous Mustang Panda attacks, the executable leverages the sideload of the DLL to launch a malicious DLL dubbed billing loader. This is used to deploy Pubload, the downloader malware responsible for contacting the remote server and getting Pubshell that injects the payload for the next stage.
Pubshell said “a lightweight backdoor that promotes immediate access to machines via reverse shells,” security researchers Golo Mühr and Joshua Chung said in an analysis published this week.
At this stage it is worth mentioning some of the differences in nomenclature. IBM will specify a billing loader for a custom stager first documented by Cisco Talos in May 2022, and Trend Micro will identify both the stager and the download as a Pubload. Similarly, Team T5 tracks the two components together as NoFive.
The development comes weeks after IBM’s activities that have been described as a job in the HIVE0154 subcluster targeting the US, the Philippines, Pakistan and Taiwan from late 2024 to early 2025.
The activity utilizes weaponized archives derived from spear phishing emails to target government, military and diplomatic groups, as if they were targeted in Tibet.
Digital Missives includes a link to the Google Drive URL that downloads Booby-Trapped Zip or RAR archives on click, and ultimately, in 2024 Toneshell and Pubload deployments will be deployed via the billing loader.
Another frequently used Mustang Panda malware, Toneshell, works similarly to PubShell. This is also used to create a reverse shell of compromised hosts and run commands.
“The implementation of a reverse shell pub shell through anonymous pipe is roughly the same as a toneshell,” the researchers said. “However, instead of running a new thread to return the results immediately, PubShell requires additional commands to return the command results. It also supports only running “cmd.exe” as a shell. ”
“In some respects, Pubload and Pubshell are independently developed “Lite versions” of Toneshell, with fewer overlaps of sophisticated clear codes. ”
The attack targeting Taiwan is characterized by the use of a USB worm called Hiupan (aka Mistcloak or U2DiskWatch), which will then be utilized to expand billing loaders and publishing via USB devices.
“HIVE0154 remains a highly capable threat actor with multiple active subclusters and frequent development cycles,” the researchers said.
“China Alliance groups like HIVE0154 continue to improve their large malware arsenals and focus on private and public sector East Asia-based organizations. Their wide range of tools, frequent development cycles, and USB Worm-based malware distribution highlight them as sophisticated threat actors.”
Source link
