Read Time:2 Minute, 11 Second
Mustang Panda has been launching a spear phishing campaign that delivers custom malware stored in Google Drive.
According to a report from Trend Micro, state-backed Chinese hackers have been using Google Drive to store malware and deliver it to government networks worldwide.
The attacks, occurring between March and October of this year, are thought to be the work of the cyber espionage group Mustang Panda (Bronze President, TA416). The group has primarily targeted organisations in Australia, Japan, Taiwan, Myanmar, and the Philippines, specifically the government and research organisations.
The Chinese hackers utilised Google accounts to send emails containing lures that misled their targets into downloading bespoke malware through Google Drive links.
The cyber thefts used messages with political subjects aimed at legal and government agencies and organisations. The link then leads to Google Drive or Dropbox folder. No one would think about this malicious process as both backup and storage software are legitimate and credible.
In early 2022, Proofpoint reported that Mustang Panda victimised high-ranking diplomats in Europe. They are also targeting Russian officials. They started in Southeast Asia, South Europe, and Africa in March.
These links will take you to a page where you can download compressed files (RAR, ZIP, JAR) containing bespoke malware strains like ToneShell, ToneIns, and PubLoad.
“The email’s subject might be empty or might have the same name as the malicious archive,” stated the report.
Although the hackers employed a variety of malware-loading algorithms, the process usually involved DLL side-loading after the victim executed an application from the archives. To reduce suspicions, a dummy document is placed in the foreground.
Among the three malware strains, PubLoad is the previously published stager responsible for persistence, shellcode decryption, and C2 communication.
According to Trend Micro, later versions of PubLoad include more powerful anti-analysis techniques containing a ToneShell installer, the main backdoor employed in the newest campaign. It uses obfuscation to avoid detection and load ToneShell while maintaining persistence on the compromised system.
“Rather than add the victims’ addresses to the email’s “To” header, the threat actors used fake emails. Meanwhile, the real victims’ addresses were written in the “CC” header, likely to evade security analysis and slow down investigations,” said Trend Micro
ToneShell is a standalone backdoor that is loaded directly into memory and features code flow obfuscation through the use of custom exception handlers. It communicates to a C2 server and transmits victim ID information.
Then it waits for a fresh set of instructions, which may involve uploading, downloading, and executing files. Other commands enable the creation of shells, the modification of sleep configuration, and other functions.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
