Rewterz Threat Alert – APT MustangPanda

Rewterz Threat Alert – Emotet – Active IOCs

March 17, 2022

Rewterz Threat Alert – WannaCry Ransomware – Active IOCs

March 17, 2022

Rewterz Threat Alert – APT MustangPanda – Active IOCs

Severity

High

Analysis Summary

Researchers have identified recent Mustang Panda activity that involves the use of DLL side-loading to deliver PlugX. The initial infection vector is an executable downloaded from a remote URL. The executable is responsible for installing the malware by dropping the required files (a DLL loader, a legitimate binary, and the PlugX payload) onto the system. The legitimate binary is the Adobe CEF Helper and is vulnerable to DLL side-loading. When the installer runs the legitimate binary, the dropped DLL is loaded. This DLL is the loader for the final payload. First, it reads a hardcoded .dat file that contains the XOR key for decrypting the final payload, then it performs the decryption and loads the malware into memory. Once running in memory, the PlugX payload is able to decrypt its configuration data, which includes its installation location, the XOR key for C2 communication, and any C2 addresses and ports

Impact

Information Theft
Exposure of Sensitive Data

Indicators of Compromise

Domain Name

fuckeryoumm[.]nmb[.]bet

IP

18[.]138[.]107[.]235

MD5

8a485194a956512174401cdb8df7eaa7

SHA-256

28d2fef9323884cc81b1a39f3c17734606a79e79786496c5a556e25e00bdf10a

SHA-1

71e85c44b1a9eb28929783c75b3cd81135bd9a2c

Remediation

Block all threat indicators at your respective controls.
Search for IOCs in your environment.
Always be suspicious about emails sent by unknown senders.
Never click on the links/attachments sent by unknown senders