In an ongoing campaign aligned with the current war in Ukraine, Chinese cyberespionage group Mustang Panda has been targeting European diplomats with an updated variant of the PlugX backdoor, cybersecurity company Proofpoint reports.
Also known as RedDelta and TA416, the group was previously observed targeting entities connected to the Vatican – Chinese Communist Party diplomatic relations, as well as telecommunications companies in Asia, Europe, and the United States.
Believed to be operating on behalf of the Chinese government, Mustang Panda has been using ‘web bugs’ to perform reconnaissance operations, which suggests the group “is being more discerning about which targets the group chooses to deliver malware payloads,” Proofpoint says.
The web bug technique involves embedding within the body of the phishing email a hyperlinked non-visible object that attempts to retrieve an image from a remote server, and which confirms to the attackers that the victim is using the targeted email account.
Starting November 2021, Mustang Panda has been employing this method in campaigns targeting European diplomatic entities, with the activity aligned with the escalating tensions between Russia and Ukraine.
[ READ: Hacked Ukrainian Military Emails Used in Attacks on European Governments ]
In attacks ongoing since January 2022, the group has been seen delivering web bugs alongside malware links and targeting European diplomats with phishing emails containing links to malicious Zip files hosted on Dropbox. If opened, the files eventually lead to the execution of PlugX on the victim’s machine.
On February 28, Mustang Panda started using a compromised email address belonging to a diplomat in a European NATO country to target diplomatic offices in another country. The targeted diplomat was associated with refugee and migrant services.
Just as in previous campaigns, DLL search order hijacking is employed for PlugX deployment, but in recent attacks the threat actor switched to using potplayermini.exe to initiate the hijacking operation. Furthermore, the attackers updated their malware’s encoding method and also expanded its configuration capabilities.
The observed changes include various obfuscation and anti-analysis techniques and three new configuration fields, and show that the malware is undergoing additional development, Proofpoint says. The command and control (C&C) communication method was also modified, both in January and February.
“In response to historical disclosures detailing TA416 PlugX malware infection and encoding methods, the group appears to have adopted a rapid rate of development for their PlugX payloads,” Proofpoint notes.
Related: Symantec: Super-Stealthy ‘Daxin’ Backdoor Linked to Chinese Threat Actor
Related: 17 Malware Frameworks Target Air-Gapped Systems for Espionage
Related: Chinese Hackers Target Financial Institutions in Taiwan With Custom Backdoor