The Chinese espionage threat group Mustang Panda has updated its CoolClient backdoor to a new variant that can steal login data from browsers and monitor the clipboard.
According to Kaspersky researchers, the malware has also been used to deploy a previously unseen rootkit. However, a technical analysis will be provided in a future report.
CoolClient has been associated with Mustang Panda since 2022, deployed as a secondary backdoor alongside PlugX and LuminousMoth.
The updated malware version has been observed in attacks targeting government entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan and were deployed via legitimate software from Sangfor, a Chinese company specialized in cybersecurity, cloud computing, and IT infrastructure products.
Previously, CoolClient operators launched the malware via DLL side-loading by abusing signed binaries from Bitdefender, VLC Media Player, and Ulead PhotoImpact.
Kaspersky researchers say that the CoolClient backdoor gathers details about the compromised system and its users, like computer name, version of the operating system, RAM, network information, and the descriptions and versions of loaded driver modules.
CoolClient uses encrypted .DAT files in a multi-stage execution and achieves persistence via Registry modifications, the addition of new Windows services, and scheduled tasks. It also supports UAC bypassing and privilege escalation.
CoolClient's execution flow
Source: Kaspersky
CoolClient's core features are integrated in a DLL embedded in a file called main.dat. "When launched, it first checks whether the keylogger, clipboard stealer, and HTTP proxy credential sniffer are enabled," the researchers say.
... continue reading