Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Chinese Threat Actor ‘Mustang Panda’ Updates Tools in Attacks on Vatican

A Chinese threat actor tracked as Mustang Panda was observed using an updated arsenal of tools in recent attacks, Proofpoint’s security researchers revealed on Monday.

A Chinese threat actor tracked as Mustang Panda was observed using an updated arsenal of tools in recent attacks, Proofpoint’s security researchers revealed on Monday.

Also referred to as TA416 and RedDelta, the threat group is known for the targeting of entities connected to the diplomatic relations between the Vatican and the Chinese Communist Party, along with entities in Myanmar, and the new campaign appears to be a continuation of that activity.

Some of the observed toolset updates, Proofpoint says, include the use of a new Golang variant of the PlugX malware loader, in addition to the constant use of PlugX. While attribution remains fairly simple, automatic detection is more difficult.

“This may represent efforts by the group to continue their pursuit of espionage objectives while maintaining an embattled toolset and staying out of the daily Twitter conversation popular amongst threat researchers,” Proofpoint notes.

Phishing lures used in recent attacks show a focus on the relations between the Vatican and the Chinese Communist Party, as well as spoofed emails imitating journalists from the Union of Catholic Asia News.

As part of the attacks, the hackers used RAR archives that serve as PlugX malware droppers, yet the delivery vector for these archives hasn’t been identified yet. However, the group is known to abuse Google Drive and Dropbox URLs within phishing emails.

The RAR archives used in this campaign include, among others, the encrypted PlugX payload, a legitimate Adobe executable for side loading, and a Golang binary to decrypt and load the payload.

According to Proofpoint, this is the first time the adversary has used a Golang binary in their attacks. The file has a compilation date of June 24, 2020, but the variant appears to have been used only since August 24.

Advertisement. Scroll to continue reading.

Although it features a new file type, the PlugX loader hasn’t changed its functionality: it will execute PlugX and also ensure its persistence. The malware variant used in these attacks remains consistent when compared to previously observed versions, as does the command and control (C&C) communication in these PlugX samples.

The C&C IP, Proofpoint says, was hosted by the Chinese Internet Service Provider Anchnet Asia Limited and was in use as a C&C at least between August 24 and September 28, 2020. Since the IP is no longer in use, the threat actor is believed to have worked on overhauling its infrastructure.

“Continued activity by TA416 demonstrates a persistent adversary making incremental changes to documented toolsets so that they can remain effective in carrying out espionage campaigns against global targets. The introduction of a Golang PlugX loader alongside continued encryption efforts for PlugX payloads suggest that the group may be conscious of increased detection for their tools and it demonstrates adaptation in response to publications regarding their campaigns,” Proofpoint concludes.

Related: Chinese APT Uses DLL Side-Loading in Attacks on Myanmar

Related: More Details Emerge on Operations, Members of Chinese Group APT41

Related: State-Backed Players Join Pandemic Cyber Crime Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.