Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа Mustang Panda
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Mustang Panda
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)
ID: G0129
Associated Groups: TA416, BRONZE PRESIDENT, RedDelta
Version: 2.1
Created: 12 Apr 2021
Last Modified: 16 Apr 2025

Associated Group Descriptions
Name Description
TA416 (Citation: Proofpoint TA416 November 2020)
BRONZE PRESIDENT (Citation: Secureworks BRONZE PRESIDENT December 2019)
RedDelta (Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 Europe March 2022)

Techniques Used
Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Mustang Panda have acquired C2 domains prior to operations.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: McAfee Dianxun March 2021)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Mustang Panda has communicated with its C2 via HTTP POST requests.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: McAfee Dianxun March 2021)
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Avira Mustang Panda January 2020)
.003 Archive Collected Data: Archive via Custom Method

Mustang Panda has encrypted documents with RC4 prior to exfiltration.(Citation: Avira Mustang Panda January 2020)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Mustang Panda has created the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU to maintain persistence.(Citation: Proofpoint TA416 November 2020)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Mustang Panda has used malicious PowerShell scripts to enable execution.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)
.003 Command and Scripting Interpreter: Windows Command Shell

Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Avira Mustang Panda January 2020)

.005 Command and Scripting Interpreter: Visual Basic

Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)

Enterprise T1074 .001 Data Staged: Local Data Staging

Mustang Panda has stored collected credential files in c:\windows\temp prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Avira Mustang Panda January 2020)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Mustang Panda has encrypted C2 communications with RC4.(Citation: Recorded Future REDDELTA July 2020)
Enterprise T1585 .002 Establish Accounts: Email Accounts

Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.(Citation: Proofpoint TA416 Europe March 2022)
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Mustang Panda's custom ORat tool uses a WMI event consumer to maintain persistence.(Citation: Secureworks BRONZE PRESIDENT December 2019)
Enterprise T1052 .001 Exfiltration Over Physical Medium: Exfiltration over USB

Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.(Citation: Avira Mustang Panda January 2020)
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Mustang Panda's PlugX variant has created a hidden folder on USB drives named RECYCLE.BIN to store malicious executables and collected data.(Citation: Avira Mustang Panda January 2020)
Enterprise T1574 .001 Hijack Execution Flow: DLL

Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 November 2020)
Enterprise T1070 .004 Indicator Removal: File Deletion

Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.(Citation: Secureworks BRONZE PRESIDENT December 2019)
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

Mustang Panda has used names like `adobeupdate.dat` and `PotPlayerDB.dat` to disguise PlugX, and a file named `OneDrive.exe` to load a Cobalt Strike payload.(Citation: Recorded Future REDDELTA July 2020)
.007 Masquerading: Double File Extension

Mustang Panda has used an additional filename extension to hide the true file type.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)

Enterprise T1003 .003 OS Credential Dumping: NTDS

Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used reg save on the SYSTEM file Registry location to help extract the NTDS.dit file.(Citation: Secureworks BRONZE PRESIDENT December 2019)
Enterprise T1027 .016 Obfuscated Files or Information: Junk Code Insertion

Mustang Panda has used junk code within their DLL files to hinder analysis.(Citation: Avira Mustang Panda January 2020)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Mustang Panda has used spearphishing attachments to deliver initial access payloads.(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 November 2020)(Citation: Google TAG Ukraine Threat Landscape March 2022)
.002 Phishing: Spearphishing Link

Mustang Panda has delivered malicious links to their intended targets.(Citation: McAfee Dianxun March 2021)

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

Mustang Panda has delivered web bugs to profile their intended targets.(Citation: Proofpoint TA416 Europe March 2022)
Enterprise T1219 .002 Remote Access Tools: Remote Desktop Software

Mustang Panda has installed TeamViewer on targeted systems.(Citation: Secureworks BRONZE PRESIDENT December 2019)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: McAfee Dianxun March 2021)
Enterprise T1608 .001 Stage Capabilities: Upload Malware

Mustang Panda has hosted malicious payloads on DropBox including PlugX.(Citation: Proofpoint TA416 Europe March 2022)
Enterprise T1218 .004 System Binary Proxy Execution: InstallUtil

Mustang Panda has used InstallUtil.exe to execute a malicious Beacon stager.(Citation: Anomali MUSTANG PANDA October 2019)
.005 System Binary Proxy Execution: Mshta

Mustang Panda has used mshta.exe to launch collection scripts.(Citation: Secureworks BRONZE PRESIDENT December 2019)

Enterprise T1204 .001 User Execution: Malicious Link

Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: McAfee Dianxun March 2021)(Citation: Proofpoint TA416 Europe March 2022)
.002 User Execution: Malicious File

Mustang Panda has sent malicious files requiring direct victim interaction to execute.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Avira Mustang Panda January 2020)(Citation: Recorded Future REDDELTA July 2020)(Citation: Google TAG Ukraine Threat Landscape March 2022)(Citation: Proofpoint TA416 Europe March 2022)

Software
ID Name References Techniques
S0662 RCSession (Citation: Secureworks BRONZE PRESIDENT December 2019) (Citation: Trend Micro DRBControl February 2020) (Citation: Trend Micro Iron Tiger April 2021) Screen Capture, Fileless Storage, System Owner/User Discovery, Keylogging, Bypass User Account Control, DLL, System Information Discovery, Msiexec, Native API, Data from Local System, Masquerading, Modify Registry, Process Discovery, Registry Run Keys / Startup Folder, Process Hollowing, Encrypted Channel, Non-Application Layer Protocol, Windows Command Shell, File Deletion, Web Protocols, Ingress Tool Transfer, Compression
S0013 PlugX (Citation: Anomali MUSTANG PANDA October 2019) (Citation: Avira Mustang Panda January 2020) (Citation: CIRCL PlugX March 2013) (Citation: Crowdstrike MUSTANG PANDA June 2018) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Proofpoint TA416 Europe March 2022) (Citation: Recorded Future REDDELTA July 2020) (Citation: Secureworks BRONZE PRESIDENT December 2019) (Citation: Sogu) (Citation: TVT) (Citation: Thoper) Screen Capture, Keylogging, DNS, Match Legitimate Resource Name or Location, Symmetric Cryptography, Windows Service, System Checks, DLL, Network Share Discovery, Native API, Deobfuscate/Decode Files or Information, Disable or Modify System Firewall, Modify Registry, File and Directory Discovery, Masquerade Task or Service, System Network Connections Discovery, Process Discovery, Multiband Communication, Registry Run Keys / Startup Folder, Non-Standard Port, Obfuscated Files or Information, Non-Application Layer Protocol, Query Registry, MSBuild, Windows Command Shell, Web Protocols, DLL Side-Loading, Ingress Tool Transfer, Hidden Files and Directories, Custom Command and Control Protocol, Dead Drop Resolver, Commonly Used Port
S0154 Cobalt Strike (Citation: Anomali MUSTANG PANDA October 2019) (Citation: Crowdstrike MUSTANG PANDA June 2018) (Citation: McAfee Dianxun March 2021) (Citation: Recorded Future REDDELTA July 2020) (Citation: Secureworks BRONZE PRESIDENT December 2019) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0012 PoisonIvy (Citation: Breut) (Citation: Crowdstrike MUSTANG PANDA June 2018) (Citation: Darkmoon) (Citation: FireEye Poison Ivy) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Recorded Future REDDELTA July 2020) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012) Keylogging, Rootkit, Local Data Staging, Active Setup, Symmetric Cryptography, Windows Service, Data from Local System, Mutual Exclusion, Application Window Discovery, Modify Registry, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Uncommonly Used Port, Windows Command Shell, Ingress Tool Transfer, Dynamic-link Library Injection
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Secureworks BRONZE PRESIDENT December 2019) (Citation: Symantec Waterbug Jun 2019) System Owner/User Discovery, Network Sniffing, System Network Configuration Discovery, Remote System Discovery, Network Service Discovery

References

  1. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
  2. Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.
  3. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  4. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021.
  5. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  6. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  7. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.
  8. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
  9. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.