Chinese Threat Actor ‘Mustang Panda’ Updates Tools in Attacks on Vatican

A Chinese threat actor tracked as Mustang Panda was observed using an updated arsenal of tools in recent attacks, Proofpoint’s security researchers revealed on Monday.

Also referred to as TA416 and RedDelta, the threat group is known for the targeting of entities connected to the diplomatic relations between the Vatican and the Chinese Communist Party, along with entities in Myanmar, and the new campaign appears to be a continuation of that activity.

Some of the observed toolset updates, Proofpoint says, include the use of a new Golang variant of the PlugX malware loader, in addition to the constant use of PlugX. While attribution remains fairly simple, automatic detection is more difficult.

“This may represent efforts by the group to continue their pursuit of espionage objectives while maintaining an embattled toolset and staying out of the daily Twitter conversation popular amongst threat researchers,” Proofpoint notes.

Phishing lures used in recent attacks show a focus on the relations between the Vatican and the Chinese Communist Party, as well as spoofed emails imitating journalists from the Union of Catholic Asia News.

As part of the attacks, the hackers used RAR archives that serve as PlugX malware droppers, yet the delivery vector for these archives hasn’t been identified yet. However, the group is known to abuse Google Drive and Dropbox URLs within phishing emails.

The RAR archives used in this campaign include, among others, the encrypted PlugX payload, a legitimate Adobe executable for side loading, and a Golang binary to decrypt and load the payload.

According to Proofpoint, this is the first time the adversary has used a Golang binary in their attacks. The file has a compilation date of June 24, 2020, but the variant appears to have been used only since August 24.

Although it features a new file type, the PlugX loader hasn’t changed its functionality: it will execute PlugX and also ensure its persistence. The malware variant used in these attacks remains consistent when compared to previously observed versions, as does the command and control (C&C) communication in these PlugX samples.

The C&C IP, Proofpoint says, was hosted by the Chinese Internet Service Provider Anchnet Asia Limited and was in use as a C&C at least between August 24 and September 28, 2020. Since the IP is no longer in use, the threat actor is believed to have worked on overhauling its infrastructure.

“Continued activity by TA416 demonstrates a persistent adversary making incremental changes to documented toolsets so that they can remain effective in carrying out espionage campaigns against global targets. The introduction of a Golang PlugX loader alongside continued encryption efforts for PlugX payloads suggest that the group may be conscious of increased detection for their tools and it demonstrates adaptation in response to publications regarding their campaigns,” Proofpoint concludes.

Related: Chinese APT Uses DLL Side-Loading in Attacks on Myanmar

Related: More Details Emerge on Operations, Members of Chinese Group APT41

Related: State-Backed Players Join Pandemic Cyber Crime Attacks