Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Mustang Panda
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Mustang Panda
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)
ID: G0129
Associated Groups: TA416, RedDelta, BRONZE PRESIDENT
Version: 2.0
Created: 12 Apr 2021
Last Modified: 11 Apr 2022

Associated Group Descriptions
Name Description
TA416 (Citation: Proofpoint TA416 November 2020)
RedDelta (Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 Europe March 2022)
BRONZE PRESIDENT (Citation: Secureworks BRONZE PRESIDENT December 2019)

Techniques Used
Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Mustang Panda have acquired C2 domains prior to operations.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: McAfee Dianxun March 2021)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Mustang Panda has communicated with its C2 via HTTP POST requests.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: McAfee Dianxun March 2021)
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Avira Mustang Panda January 2020)
.003 Archive Collected Data: Archive via Custom Method

Mustang Panda has encrypted documents with RC4 prior to exfiltration.(Citation: Avira Mustang Panda January 2020)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Mustang Panda has created the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU to maintain persistence.(Citation: Proofpoint TA416 November 2020)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Mustang Panda has used malicious PowerShell scripts to enable execution.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)
.003 Command and Scripting Interpreter: Windows Command Shell

Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Avira Mustang Panda January 2020)

.005 Command and Scripting Interpreter: Visual Basic

Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)

Enterprise T1074 .001 Data Staged: Local Data Staging

Mustang Panda has stored collected credential files in c:\windows\temp prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Avira Mustang Panda January 2020)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Mustang Panda has encrypted C2 communications with RC4.(Citation: Recorded Future REDDELTA July 2020)
Enterprise T1585 .002 Establish Accounts: Email Accounts

Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.(Citation: Proofpoint TA416 Europe March 2022)
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Mustang Panda's custom ORat tool uses a WMI event consumer to maintain persistence.(Citation: Secureworks BRONZE PRESIDENT December 2019)
Enterprise T1052 .001 Exfiltration Over Physical Medium: Exfiltration over USB

Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.(Citation: Avira Mustang Panda January 2020)
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Mustang Panda's PlugX variant has created a hidden folder on USB drives named RECYCLE.BIN to store malicious executables and collected data.(Citation: Avira Mustang Panda January 2020)
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 November 2020)
Enterprise T1070 .004 Indicator Removal: File Deletion

Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.(Citation: Secureworks BRONZE PRESIDENT December 2019)
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Mustang Panda has used names like `adobeupdate.dat` and `PotPlayerDB.dat` to disguise PlugX, and a file named `OneDrive.exe` to load a Cobalt Strike payload.(Citation: Recorded Future REDDELTA July 2020)
.007 Masquerading: Double File Extension

Mustang Panda has used an additional filename extension to hide the true file type.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)

Enterprise T1003 .003 OS Credential Dumping: NTDS

Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used reg save on the SYSTEM file Registry location to help extract the NTDS.dit file.(Citation: Secureworks BRONZE PRESIDENT December 2019)
Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Mustang Panda has used junk code within their DLL files to hinder analysis.(Citation: Avira Mustang Panda January 2020)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Mustang Panda has used spearphishing attachments to deliver initial access payloads.(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 November 2020)(Citation: Google TAG Ukraine Threat Landscape March 2022)
.002 Phishing: Spearphishing Link

Mustang Panda has delivered web bugs and malicious links to their intended targets.(Citation: McAfee Dianxun March 2021)(Citation: Proofpoint TA416 Europe March 2022)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: McAfee Dianxun March 2021)
Enterprise T1608 .001 Stage Capabilities: Upload Malware

Mustang Panda has hosted malicious payloads on DropBox including PlugX.(Citation: Proofpoint TA416 Europe March 2022)
Enterprise T1218 .004 System Binary Proxy Execution: InstallUtil

Mustang Panda has used InstallUtil.exe to execute a malicious Beacon stager.(Citation: Anomali MUSTANG PANDA October 2019)
.005 System Binary Proxy Execution: Mshta

Mustang Panda has used mshta.exe to launch collection scripts.(Citation: Secureworks BRONZE PRESIDENT December 2019)

Enterprise T1204 .001 User Execution: Malicious Link

Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: McAfee Dianxun March 2021)(Citation: Proofpoint TA416 Europe March 2022)
.002 User Execution: Malicious File

Mustang Panda has sent malicious files requiring direct victim interaction to execute.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Avira Mustang Panda January 2020)(Citation: Recorded Future REDDELTA July 2020)(Citation: Google TAG Ukraine Threat Landscape March 2022)(Citation: Proofpoint TA416 Europe March 2022)

Software
ID Name References Techniques
S0662 RCSession (Citation: Secureworks BRONZE PRESIDENT December 2019) (Citation: Trend Micro DRBControl February 2020) (Citation: Trend Micro Iron Tiger April 2021) Encrypted Channel, Process Hollowing, Process Discovery, Msiexec, Screen Capture, Keylogging, Ingress Tool Transfer, Native API, Web Protocols, System Owner/User Discovery, File Deletion, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Data from Local System, Non-Application Layer Protocol, System Information Discovery, Masquerading, Modify Registry, DLL Side-Loading, Windows Command Shell, Bypass User Account Control
S0013 PlugX (Citation: Anomali MUSTANG PANDA October 2019) (Citation: Avira Mustang Panda January 2020) (Citation: CIRCL PlugX March 2013) (Citation: Crowdstrike MUSTANG PANDA June 2018) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Proofpoint TA416 Europe March 2022) (Citation: Recorded Future REDDELTA July 2020) (Citation: Secureworks BRONZE PRESIDENT December 2019) (Citation: Sogu) (Citation: Thoper) (Citation: TVT) Modify Registry, File and Directory Discovery, Masquerade Task or Service, Hidden Files and Directories, Multiband Communication, Non-Application Layer Protocol, Keylogging, Dead Drop Resolver, DLL Side-Loading, Process Discovery, Query Registry, DLL Search Order Hijacking, Network Share Discovery, MSBuild, Web Protocols, Windows Service, Windows Command Shell, Ingress Tool Transfer, System Checks, System Network Connections Discovery, Match Legitimate Name or Location, Registry Run Keys / Startup Folder, Custom Command and Control Protocol, DNS, Screen Capture, Commonly Used Port, Symmetric Cryptography, Deobfuscate/Decode Files or Information, Native API, Obfuscated Files or Information
S0154 Cobalt Strike (Citation: Anomali MUSTANG PANDA October 2019) (Citation: cobaltstrike manual) (Citation: Crowdstrike MUSTANG PANDA June 2018) (Citation: McAfee Dianxun March 2021) (Citation: Recorded Future REDDELTA July 2020) (Citation: Secureworks BRONZE PRESIDENT December 2019) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, Application Layer Protocol, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0012 PoisonIvy (Citation: Breut) (Citation: Crowdstrike MUSTANG PANDA June 2018) (Citation: Darkmoon) (Citation: FireEye Poison Ivy) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Recorded Future REDDELTA July 2020) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012) Windows Service, Modify Registry, Uncommonly Used Port, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Keylogging, Active Setup, Dynamic-link Library Injection, Local Data Staging, Windows Command Shell, Ingress Tool Transfer, Symmetric Cryptography, Data from Local System, Application Window Discovery, Rootkit
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Secureworks BRONZE PRESIDENT December 2019) (Citation: Symantec Waterbug Jun 2019) System Owner/User Discovery, System Network Configuration Discovery, Network Sniffing, Network Service Discovery, Remote System Discovery

References

  1. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
  2. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  3. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021.
  4. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  5. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  6. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
  7. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  8. Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.
  9. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.