A threat actor known as Mustang Panda is believed to have carried out dual campaigns aimed at infiltrating Myanmar’s Ministry of Defence and Foreign Affairs, utilizing backdoors and remote access trojans. The activities occurred in November 2023 and January 2024, with artifacts related to the attacks.
The researcher highlighted key tactics, techniques, and procedures (TTPs) employed by Mustang Panda, including the use of legitimate software such as a binary from engineering firm Bernecker & Rainer (B&R) and a component of the Windows 10 upgrade assistant for sideloading malicious dynamic-link libraries (DLLs). Mustang Panda, operational since at least 2012, is also recognized by various aliases within the cybersecurity community.
Recent attacks attributed to Mustang Panda include targeting an undisclosed Southeast Asian government and the Philippines, deploying backdoors designed to extract sensitive information. The November 2023 infection sequence began with a phishing email carrying a booby-trapped ZIP archive, containing a legitimate executable and a DLL file, both utilized for DLL search order hijacking. This enabled the threat actors to establish persistence, communicate with a command-and-control (C2) server, and introduce the PUBLOAD backdoor, eventually leading to the deployment of the PlugX implant.
In an attempt to camouflage C2 traffic, the threat actors imitated Microsoft update traffic by manipulating headers to resemble legitimate updates. A similar technique was observed in a May 2023 campaign. The second campaign, observed in January 2024, utilized an optical disc image with LNK shortcuts, triggering a multi-stage process employing a bespoke loader named TONESHELL to likely deploy the PlugX implant from an inaccessible C2 server.
Notably, Mustang Panda’s similar attack chain was previously uncovered in February 2023 during intrusions targeting government and public sector organizations across Asia and Europe.
To safeguard against the targeted backdoor attacks orchestrated by Mustang Panda, organizations should prioritize comprehensive cybersecurity measures. Implementing robust email security protocols to detect and thwart phishing attempts is crucial. Regularly updating and patching software can help close potential vulnerabilities, while deploying advanced threat detection solutions enhances the capability to identify and neutralize sophisticated malware.