Chinese state-sponsored threat actor Mustang Panda (aka LuminousMoth, Camaro Dragon, HoneyMyte, and more) has been found launching malware campaigns against high-value targets, including government agencies in Asia.
The group used a variant of the HIUPAN worm to distribute the PUBLOAD malware on its targets' networks via removable drives. The HIUPAN worm moved all its files to a hidden directory to conceal its presence and left only one seemingly legitimate file (“USBConfig.exe”) visible to trick the user.
The PUBLOAD tool was used as the primary control of the campaign to extract data and send it to the threat actor's remote server. PTSOCKET was often used as an alternative data extraction tool.
A family story
A TrendMicro Research describes the progress in Mustang Panda malware deployment, especially in use against military, government and educational agencies in the APAC region.
This marks a change from recent reports the organization had received. Using WispRider variants to execute similar DLL side-loading techniques via USB drives. The previous campaign is said to have infected devices around the world, including those in the UK, Russia, and India.
The group was also linked to a phishing campaign in June this year, demonstrating its ability to exploit Microsoft cloud services and take advantage of multi-stage downloaders. The group remains very active in the cyber landscape and looks set to continue doing so for the foreseeable future.
This is one of many suspicious attacks sponsored by the Chinese state in recent times, with campaigns against a variety of targetsincluding Russian government devices compromised by phishing attacks.
Through Computer beeping
