Rewterz Threat Alert – Earth Preta aka Mustang Panda APT Group – Active IOCs

Severity

High

Analysis Summary

can-affiliated religious institutions in the United States and Europe. Asian countries, such as Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar, were the main focus of the past campaigns. The group is notorious for creating phishing lures based on current events that might interest its target, for example, Covid-19 pandemic, political subjects, and most trending issues like Russian-Ukrainian cyber warfare.

The Trojan application PlugX has been the most popular malicious implant utilized by Mustang Panda and is still the preferred spying weapon for the group. The recent Mustang Panda activity involves the use of DLL side-loading to deliver PlugX. The initial infection vector is an executable downloaded from a remote URL. The executable is responsible for installing the malware by dropping the required files (a DLL loader, a legitimate binary, and the PlugX payload) onto the system. The legitimate binary is the Adobe CEF Helper and is vulnerable to DLL side-loading. When the installer runs the legitimate binary, the dropped DLL is loaded. This DLL is the loader for the final payload. First, it reads a hardcoded .dat file that contains the XOR key for decrypting the final payload, then it performs the decryption and loads the malware into memory. Once running in memory, the PlugX payload is able to decrypt its configuration data, which includes its installation location, the XOR key for C2 communication, and any C2 addresses and ports.

This APT group has been active for many years and is known to use a variety of tactics and techniques to compromise target systems, including spear-phishing campaigns, custom malware, and exploiting vulnerabilities in popular software. MustangPanda is considered to be one of the more sophisticated APT groups, and it is known for its ability to maintain a persistent presence within target networks and exfiltrate large amounts of sensitive data without being detected.

Impact

• Information Theft
• Exposure To Sensitive Data

Indicators of Compromise

IP

45.8.109.52

MD5

• f7248a9a49871e679323dd5638d6487a
• 9c3f13f5f9ed74bcc0bfe38e7e22c0d9
• 2da4f427f42dd7798d262b58a4d629d0

SHA-256

• f751fb287db51f79bb6df2e330a53b6d80ef3d2af93f09bb786b62e613514db
• 688a06b1722153c30cc7a113a91a8febc472ede174a2ea0bfa6df616f806a3c7
• b00c252a60171f33e32e64891ffe826b8a45f8816acf778838d788897213a405

SHA-1

• 6d1df8ee99a9610d17a394c0c954ccccb4bfa84c
• 9285d5077b7c7e888e4a96e406d2e4d521b546cd
• 57833dbc88eb1c20da3ba5d3ecb4cb96622ecdc3

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.