The China-linked nation-state hacking group known as Mustang Panda is utilizing lures associated to the continued Russo-Ukrainian War to assault entities in Europe and the Asia Pacific.
That’s in response to the BlackBerry Research and Intelligence Team, which analyzed a RAR archive file titled “Political Guidance for the brand new EU strategy in direction of Russia.rar.” Some of the focused international locations embody Vietnam, India, Pakistan, Kenya, Turkey, Italy, and Brazil.
Mustang Panda is a prolific cyber-espionage group from China that is additionally tracked below the names Bronze President, Earth Preta, HoneyMyte, RedDelta, and Red Lich.
It’s believed to be lively since a minimum of July 2018, per Secureworks’ risk profile, though indications are that the risk actor has been concentrating on entities worldwide as early as 2012.
Mustang Panda is thought to closely depend on sending weaponized attachments by way of phishing emails to attain preliminary an infection, with the intrusions finally resulting in the deployment of the PlugX distant entry trojan.
However, current spear-phishing assaults undertaken by the group concentrating on authorities, schooling, and analysis sectors within the Asia Pacific area have concerned customized malware like PUBLOAD, TONEINS, and TONESHELL, suggesting an growth to its malware arsenal.
The newest findings from BlackBerry present that the core an infection course of has remained kind of the identical, at the same time as Mustang Panda continues to make the most of geopolitical occasions to their benefit, echoing prior experiences from Google and Proofpoint.
Contained throughout the decoy archive is a shortcut to a Microsoft Word file, which leverages DLL side-loading – a method that was additionally employed in assaults aimed toward Myanmar earlier this 12 months – to kick off the execution of PlugX in reminiscence, earlier than displaying the doc’s contents.
“Their assault chain stays according to the continued use of archive recordsdata, shortcut recordsdata, malicious loaders, and the usage of the PlugX malware, though their supply setup is normally custom-made per area/nation to lure victims into executing their payloads within the hope of creating persistence with the intent of espionage,” BlackBerry’s Dmitry Bestuzhev instructed The Hacker News.