Chinese actor threats known as Mustang Panda He was linked to cyber -napad aimed at an uncertain organization in Myanmar with previously unrelated instruments, emphasizing the constant efforts from the subjects threat to enhanced and the effectiveness of his malware.
These include updated versions of the famous rear Toneas well as a new side motion tool called Starproxy, two Keylogger cadencies Splatcloak.
“Toneshell, the back of the Mustang Panda, was updated with changes in its FAKETLS Command and Control (C2) communications protocol, as well as in customer IDs creation and storage methods,” said the Zscaler OPHERLABZ SINGH IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A IN A IN two parts analysis.
Mustang Panda, also known as a pool, bronze president, Camaro Dragon, Earth Preta, Honeymy and Reddelta, is a Chinese state actor supported by a state that has been working at least since 2012.
Known for their attacks on governments, military entities, minorities and non -governmental organizations (NGOs), above all, in countries in East Asia, and to a lesser extent in Europe, the group has history Using the Dll Loading Loading Shipping methods malicious software for connection.
However since the end of 2022 companies organized by Mustang Panda Tonewhich is designed to load the useful loads to the next stage.
ZSCALER said he discovered three new malware options that come with different levels of sophistication –
- Option 1acting as a simple backbone
- Option 2Including functionality to download Dll with C2 and execution of them, introduced Dll into legal processes (eg svchost.exe)
- Option 3which includes functionality to download files and creating a sub -processes to execute commands derived from the remote server via custom protocol based on TCP
The new piece of software associated with Mustang Panda is Starproxy, which is launched by DLL-loading and designed to use the Faketls protocol for proxy traffic and facilitating attackers.
“After the active, Starproxy allows the attackers to conduct proxies between the infected devices and their C2 servers. Starproxy reaches this using TCP rescue to communicate with the C2 server via the faketls protocol, sewing all exchange data with a custom algorithm based on Xor,”
“In addition, the tool uses the command line arguments to indicate IP address and the port for communication, allowing the attackers to transmit data through compromised machines.”
 |
| Star activity |
It is believed that Starproxy is unfolding as a tool for access to internal workstations on the network that is not directly exposed to the Internet.
Also identified two new Keyloggers, Paklog and Corklog used to control and clipboard data. The main difference between them is that the latter store the captured data in the encrypted file, using the 48-character key RC4 and implements the mechanisms of persistence, creating services or planned tasks.
Both keys lack their own exfiltration capabilities, that is, they exist solely for collecting keys and writing them to a certain place, and that the actor threatens other methods to transfer their infrastructure.
Disabling new additions to Arsenal Mustang Panda Arsenal-it’s Splatcloak, Windows kernel driver, deployed Splatdrper, which is equipped to disable Edr-related procedures implemented by Windows Defender and Kaspersky, allowing it to fly under the radar.
“Mustang Panda demonstrates an estimated approach to achieving its goals,” Singh said. “Permanent updates, new tools and layered clutches lengthens the group security and improves the efficiency of attacks.”
UNC5221 falls on new versions of Windows Tarticing Windows Brickstorm
Disclosure of information occurs when cyber-spying cluster China-NEXUS was called Unc5221 united For the use of the new Brickstorm malicious software in the Windows environment in Europe, at least 2022, Belgian NVISO cybersecurity firm reports.
Brickstorm, First documented Last year Due to the exploitation of the zero day Ivanti Connect Secure Zero-Day vulnerability (CVE-2023-46805 and CVE-2024-21887) vs. MITER corporation is the back of Golang, deployed on Linux servers running VMware Vcenter.
“It supports the ability to customize itself as a web server, execution of manipulation with file system and directory, execution of operations from the file – Note In April 2024, “Brickstorm reports over WebSockets to a hard coded C2”.
Recently identified Windows artifacts, also written in GO, provide attacker file manager and tunnel network capabilities, allowing them to view the file system, create or delete files and connecting tunnels for lateral motion.
They also decide the C2 servers via DNS-Over-HTTPS (Roof), and designed for evading network protection networks such as DNS monitoring, TLS inspection and geolocation.
“Windows samples (..) are not equipped with the capabilities of commands,” Nviso said. “Instead, the opponents were observed using network tunnel capabilities in combination with valid accounts for abuse of known protocols such as RDP or SMB, thus reached such execution of commands.”
