GoKawiilIf you knew only two things about China's state-sponsored advanced persistent threat (APT) Mustang Panda (aka TA416, Bronze President, Stately Taurus), they would probably be, first, that it frequently shifts its tactics, techniques, and procedures (TTPs), and second, that its focus is solely on geopolitical espionage.
But Mustang Panda seems to have diverged from that target and has trained its sights on India's banking sector.
Square that with its most newly discovered campaign, which employs no interesting TTPs, and though partly focused against American and Korean public policy circles, is aimed largely at financial organizations in India. Despite the differences, researchers at Acronis believe this string of activity belongs to Mustang Panda, thanks to shared code, operational patterns, and more.
Mustang Panda's Attack Chain
The spear-phishing Mustang Panda has been performing ranges from halfway convincing to totally uninspired. Messages sent to targets in India seem to be disguised as basic IT help desk issues, though the researchers lacked any window into whatever email or text messages victims might have received.
Related:6-Year Ransomware Campaign Targets Turkish Homes & SMBs
While investigating the attacks in India, the researchers also found that the threat actor was also running a Google account impersonating the American political scientist Victor Cha. Cha, formerly the director for Asian affairs for the National Security Council (NSC) during the George W. Bush administration, remains a highly influential figure on North Korea and South Korea, and Indo-Pacific security more generally. The threat actors used a headshot of Cha, and a generically faked email address — [email protected] — to target individuals involved in the US-Korea diplomatic community and policy circles.
By one means or another, in India, Korea, or the US, victims were prompted to open a malicious file. Viewing the file triggered a stereotypically Chinese dynamic link library (DLL) sideloading attack. After persistence was established via the Windows Registry, victims were rewarded with a variant of LotusLite, a backdoor built and maintained by this particular threat cluster within Mustang Panda, which it uses to establish shells, access files, and perform other remote operations for espionage.
This latest variant of LotusLite featured some minor edits to slightly more easily evade cybersecurity detection tools, nothing more. It was also superficially disguised to mimic legitimate banking software in the region where many of its targets were based. In a pop-up window message and an internal code function, the program used the name "HDFC Bank," referring to the largest private bank in the largest country in the world. It appears that the Korean and American targets of this campaign also received the ostensibly India-oriented malware.
Related:Fraud Rockets Higher in Mobile-First Latin America
... continue reading