Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.[1][2][3]

ID: G0129
Associated Groups: TA416, RedDelta, BRONZE PRESIDENT
Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet
Version: 2.0
Created: 12 April 2021
Last Modified: 11 April 2022

Associated Group Descriptions

Name Description
TA416

[4]

RedDelta

[5][6]

BRONZE PRESIDENT

[3]

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Mustang Panda have acquired C2 domains prior to operations.[3][5][7]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Mustang Panda has communicated with its C2 via HTTP POST requests.[2][3][5][7]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.[3][8]

.003 Archive Collected Data: Archive via Custom Method

Mustang Panda has encrypted documents with RC4 prior to exfiltration.[8]

Enterprise T1119 Automated Collection

Mustang Panda used custom batch scripts to collect files automatically from a targeted system.[3]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Mustang Panda has created the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU to maintain persistence.[4]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Mustang Panda has used malicious PowerShell scripts to enable execution.[1][2]

.003 Command and Scripting Interpreter: Windows Command Shell

Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.[2][8]

.005 Command and Scripting Interpreter: Visual Basic

Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.[1][2][3]

Enterprise T1074 .001 Data Staged: Local Data Staging

Mustang Panda has stored collected credential files in c:\windows\temp prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.[3][8]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Mustang Panda has encrypted C2 communications with RC4.[5]

Enterprise T1585 .002 Establish Accounts: Email Accounts

Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.[6]

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Mustang Panda's custom ORat tool uses a WMI event consumer to maintain persistence.[3]

Enterprise T1052 .001 Exfiltration Over Physical Medium: Exfiltration over USB

Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.[8]

Enterprise T1203 Exploitation for Client Execution

Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code.[1]

Enterprise T1083 File and Directory Discovery

Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.[8]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Mustang Panda's PlugX variant has created a hidden folder on USB drives named RECYCLE.BIN to store malicious executables and collected data.[8]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.[2][5][4]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.[3]

Enterprise T1105 Ingress Tool Transfer

Mustang Panda has downloaded additional executables following the initial infection stage.[5]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Mustang Panda has used names like adobeupdate.dat and PotPlayerDB.dat to disguise PlugX, and a file named OneDrive.exe to load a Cobalt Strike payload.[5]

.007 Masquerading: Double File Extension

Mustang Panda has used an additional filename extension to hide the true file type.[1][2]

Enterprise T1027 Obfuscated Files or Information

Mustang Panda has delivered initial payloads hidden using archives and encoding measures.[1][2][3][5][4][6]

.001 Binary Padding

Mustang Panda has used junk code within their DLL files to hinder analysis.[8]

Enterprise T1003 .003 OS Credential Dumping: NTDS

Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used reg save on the SYSTEM file Registry location to help extract the NTDS.dit file.[3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Mustang Panda has used spearphishing attachments to deliver initial access payloads.[5][4][9]

.002 Phishing: Spearphishing Link

Mustang Panda has delivered web bugs and malicious links to their intended targets.[7][6]

Enterprise T1057 Process Discovery

Mustang Panda has used tasklist /v to determine active process information.[8]

Enterprise T1219 Remote Access Software

Mustang Panda has installed TeamViewer on targeted systems.[3]

Enterprise T1091 Replication Through Removable Media

Mustang Panda has used a customized PlugX variant which could spread through USB connections.[8]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.[2][3][7]

Enterprise T1518 Software Discovery

Mustang Panda has searched the victim system for the InstallUtil.exe program and its version.[2]

Enterprise T1608 Stage Capabilities

Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims.[6]

.001 Upload Malware

Mustang Panda has hosted malicious payloads on DropBox including PlugX.[6]

Enterprise T1218 .004 System Binary Proxy Execution: InstallUtil

Mustang Panda has used InstallUtil.exe to execute a malicious Beacon stager.[2]

.005 System Binary Proxy Execution: Mshta

Mustang Panda has used mshta.exe to launch collection scripts.[3]

Enterprise T1082 System Information Discovery

Mustang Panda has gathered system information using systeminfo.[8]

Enterprise T1016 System Network Configuration Discovery

Mustang Panda has used ipconfig and arp to determine network configuration information.[8]

Enterprise T1049 System Network Connections Discovery

Mustang Panda has used netstat -ano to determine network connection information.[8]

Enterprise T1204 .001 User Execution: Malicious Link

Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.[1][7][6]

.002 User Execution: Malicious File

Mustang Panda has sent malicious files requiring direct victim interaction to execute.[1][2][8][5][9][6]

Enterprise T1102 Web Service

Mustang Panda has used DropBox URLs to deliver variants of PlugX.[6]

Enterprise T1047 Windows Management Instrumentation

Mustang Panda has executed PowerShell scripts via WMI.[2][3]

Software

ID Name References Techniques
S0154 Cobalt Strike [1][2][3][5][7] Abuse Elevation Control Mechanism: Bypass User Account Control, Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Access Token Manipulation: Make and Impersonate Token, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Multiband Communication, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Windows Remote Management, Remote Services: Remote Desktop Protocol, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote Services: SSH, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0590 NBTscan [3] Network Service Discovery, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0013 PlugX [1][2][3][8][5][6] Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Name or Location, Modify Registry, Multiband Communication, Native API, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0012 PoisonIvy [1][5] Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S0662 RCSession [3] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading, Modify Registry, Native API, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Process Injection: Process Hollowing, Screen Capture, System Binary Proxy Execution: Msiexec, System Information Discovery, System Owner/User Discovery

References