Chinese APT Using Google Drive, Dropbox to Drop MalwareEvolved Mustang Panda Malware Targets Government, Education, Other Sectors Globally
China-based advanced persistent threat actor Mustang Panda has launched a new wave of spear-phishing attacks on global government, educational and scientific sectors.
Cybersecurity firm Trend Micro observed the group - as Earth Preta, also known as Mustang Panda and Bronze President - using fake Google accounts to distribute malware stored in archive files and distributed through links to Google Drive. The main targets hit so far are organizations in Myanmar, Australia, the Philippines, Japan and Taiwan.
Mustang Panda attacks date back to 2012 and are typically related to cyberespionage, but the group has evolved to focus its spear-phishing attacks on a wider range of organizations. Using new tactics, Earth Preta operators lure users into downloading and triggering bespoke malware such as TONEINS, TONESHELL and PUBLOAD. They also use code obfuscation and custom exception handlers to avoid detection.
PUBLOAD, stager malware that can download the next-stage payload from its command-and-control server, was first discovered by researchers at Cisco Talos in May 2022.
PUBLOAD is capable of creating a directory in the victim's machine where it drops all the malware, including a malicious DLL and a legitimate executable. It then tries to establish persistence.
The latest findings show that the same individuals sending the spear-phishing emails own the Google Drive links.
Analysis of sample decoy documents indicate the attackers conducted research from "prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts."
Initial Attack Vector
Researchers found that decoy documents used in the campaign are written in Burmese and most of the topics concerned controversial issues between countries, containing words such as "Secret" or "Confidential." Attackers also lure individuals with subject headings pertaining to pornographic materials.
"Once the group has infiltrated a targeted victim's systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions. This strategy largely broadens the affected scope in the region involved," the researchers say. The group's primary target appears to be countries in the Asia-Pacific region.
"The victimology covers a broad range of organizations and verticals worldwide, with a higher concentration in the Asia-Pacific region. Apart from the government offices with collaborative work in Myanmar, subsequent victims included the education and research industries," they add.
Apart from using Google Drive, threat actors also used Dropbox links or other IP addresses hosting the files. The researchers said the archives collected had legitimate executables, as well as the side-loaded DLL, but the names of the archives and the decoy documents vary in each case.