Mustang Panda
Associated Group Descriptions |
|
Name | Description |
---|---|
TA416 | (Citation: Proofpoint TA416 November 2020) |
RedDelta | (Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 Europe March 2022) |
BRONZE PRESIDENT | (Citation: Secureworks BRONZE PRESIDENT December 2019) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Mustang Panda have acquired C2 domains prior to operations.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: McAfee Dianxun March 2021) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Mustang Panda has communicated with its C2 via HTTP POST requests.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: McAfee Dianxun March 2021) |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Avira Mustang Panda January 2020) |
.003 | Archive Collected Data: Archive via Custom Method |
Mustang Panda has encrypted documents with RC4 prior to exfiltration.(Citation: Avira Mustang Panda January 2020) |
||
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Mustang Panda has created the registry key |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Mustang Panda has used malicious PowerShell scripts to enable execution.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Avira Mustang Panda January 2020) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019) |
||
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Mustang Panda has stored collected credential files in |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Mustang Panda has encrypted C2 communications with RC4.(Citation: Recorded Future REDDELTA July 2020) |
Enterprise | T1585 | .002 | Establish Accounts: Email Accounts |
Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.(Citation: Proofpoint TA416 Europe March 2022) |
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
Mustang Panda's custom ORat tool uses a WMI event consumer to maintain persistence.(Citation: Secureworks BRONZE PRESIDENT December 2019) |
Enterprise | T1052 | .001 | Exfiltration Over Physical Medium: Exfiltration over USB |
Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.(Citation: Avira Mustang Panda January 2020) |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Mustang Panda's PlugX variant has created a hidden folder on USB drives named |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 November 2020) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.(Citation: Secureworks BRONZE PRESIDENT December 2019) |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Mustang Panda has used names like `adobeupdate.dat` and `PotPlayerDB.dat` to disguise PlugX, and a file named `OneDrive.exe` to load a Cobalt Strike payload.(Citation: Recorded Future REDDELTA July 2020) |
.007 | Masquerading: Double File Extension |
Mustang Panda has used an additional filename extension to hide the true file type.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019) |
||
Enterprise | T1003 | .003 | OS Credential Dumping: NTDS |
Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used |
Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
Mustang Panda has used junk code within their DLL files to hinder analysis.(Citation: Avira Mustang Panda January 2020) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Mustang Panda has used spearphishing attachments to deliver initial access payloads.(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 November 2020)(Citation: Google TAG Ukraine Threat Landscape March 2022) |
.002 | Phishing: Spearphishing Link |
Mustang Panda has delivered malicious links to their intended targets.(Citation: McAfee Dianxun March 2021) |
||
Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
Mustang Panda has delivered web bugs to profile their intended targets.(Citation: Proofpoint TA416 Europe March 2022) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: McAfee Dianxun March 2021) |
Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
Mustang Panda has hosted malicious payloads on DropBox including PlugX.(Citation: Proofpoint TA416 Europe March 2022) |
Enterprise | T1218 | .004 | System Binary Proxy Execution: InstallUtil |
Mustang Panda has used |
.005 | System Binary Proxy Execution: Mshta |
Mustang Panda has used mshta.exe to launch collection scripts.(Citation: Secureworks BRONZE PRESIDENT December 2019) |
||
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: McAfee Dianxun March 2021)(Citation: Proofpoint TA416 Europe March 2022) |
.002 | User Execution: Malicious File |
Mustang Panda has sent malicious files requiring direct victim interaction to execute.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Avira Mustang Panda January 2020)(Citation: Recorded Future REDDELTA July 2020)(Citation: Google TAG Ukraine Threat Landscape March 2022)(Citation: Proofpoint TA416 Europe March 2022) |
References
- Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
- Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
- Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
- Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
- Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
- Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
- Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021.
- Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.