EclecticIQ details Mustang Panda’s campaign against government and public-sector targets in Asia and Europe, delivering a modified PlugX variant via malicious ISO images embedded with LNK shortcuts and employing DLL hijacking, in-memory loading, and a multi-stage infection chain. The operation uses registry Run keys for persistence and a C2 infrastructure tied to IPs such as 217.12.206.116, with evasion and decoy documents designed to mislead users and defenders. #MustangPanda #PlugX #LMIGuardianSvc #LMIGuardianDll #EuropeanCommission #Ukraine
Keypoints
- Mustang Panda has targeted government and public sector organizations in Asia and Europe since 2019 with long-running cyberespionage aligned to strategic interests.
- In Nov 2022 the group shifted from archive files to malicious ISO images containing an LNK file to deliver PlugX, increasing anti-malware evasion.
- The campaign uses a four-stage infection chain that leverages malicious LNK shortcuts, DLL search-order hijacking, and in-memory loading of the PlugX loader.
- Stage 1: ISO-delivered LNK decoy masquerades as a Word document and uses a cmd.exe command to invoke a renamed LMIGuardianSvc.exe (test2022.ucp) to trigger DLL hijacking.
- Stage 2: DLL hijacking loads LMIGuardianDll.dll (PlugX loader) into memory; a decoy Word document opens to socially engineer the victim.
- Stage 3: Registry Run keys provide persistence, ensuring LMIGuardianSvc.exe runs on logon and leads to PlugX execution via DLL hijacking.
- Stage 4: C2 communication with static IPs (e.g., 217.12.206.116) and an encrypted channel; XOR-based decryption of PlugX shellcode and a campaign ID fingerprint (test2022) are observed.
MITRE Techniques
- [T1204] Execution: User Execution Malicious File – The malicious LNK file contains a command line argument that can be executed by user execution to start the PlugX malware execution chain. “The malicious LNK file contains a command line argument that can be executed by user execution to start the PlugX malware execution chain.”
- [T1566.001] Phishing: Attachment – The infection chain begins with a malicious email containing an ISO image attachment. “In the first stage of the infection chain, EclecticIQ researchers assess that the malware was almost certainly delivered by a malicious email with an ISO image attachment.”
- [T1574.001] Defense Evasion: Hijack Execution Flow – DLL Search Order Hijacking used to load the PlugX loader from LMIGuardianDll.dll after LMIGuardianSvc.exe. “to perform DLL Hijacking” and “loads the initial PlugX loader called LMIGuardianDll.dll aka PlugX loader.”
- [T1140] Defense Evasion: Deobfuscate/Decode Files or Information – XOR-based decryption of LMIGuardianDAT.dat to decrypt PlugX shellcode. “used a simple XOR algorithm to decrypt the LMIGuardianDAT.dat (XOR encrypted PlugX shellcode)…”
- [T1036.007] Defense Evasion: Masquerading Double File Extension – LNK and ISO/lure files disguised with double extensions (e.g., .doc.lnk) and Word icon. “Windows shortcut (LNK) files disguised using double extensions (such as .doc.lnk) with a Microsoft Word icon.”
- [T1573.001] Command-and-Control: Encrypted Channel – PlugX uses encrypted data channels for C2. “Encrypted Channel Symmetric Cryptography.”
- [T1132.001] Command-and-Control: Data Encoding Standard Encoding – Data is encoded/encrypted as part of C2 communication. “Data Encoding Standard Encoding.”
- [T1547.001] Persistence: Boot or Logon Autostart Execution – Registry Run Keys / Startup Folder to persist. “Persistence established by malware after writing a new Run key.”
- [T1059.003] Command and Scripting: Windows Command Shell – The LNK executes a cmd.exe command line to launch the loader. “C:WindowsSystem32cmd.exe /q /c …”
Indicators of Compromise
- [File Name] context – LMIGuardianDll.dll, LMIGuardianDat.dat, draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.iso, draft letter to European Commission RUSSIAN OIL PRICE CAP sg de.doc.lnk, LMIGuardianSvc.exe renamed (test2022.ucp)
- [SHA-256 Hash] context – ee2c8909089f53aafc421d9853c01856b0a9015eba12aa0382e98417d28aef3f, 8c4926dd32204b6a666b274a78ccfb16fe84bbd7d6bc218a5310970c4c5d9450, 723d804cfc334cad788f86c39c7fb58b42f452a72191f7f39400cf05d980b4f3
- [IP Address] context – 217.12.206.116, 45.134.83.29