Threat Research

Mustang Panda Abuses Legitimate Apps to Target Myanmar Based Victims

Securonix

Keypoints

  • Mustang Panda (aka HoneyMyte, Bronze President) is the China-based APT behind the campaign targeting Myanmar using PlugX.
  • Initial infection stems from phishing emails with attachments designed to mimic local country/organization contexts, leveraging legitimate HP-related utilities in RAR archives.
  • The attackers use a DLL loader in conjunction with a malicious DLL and a PlugX payload, employing DLL side-loading and DLL search order hijacking.
  • The C2 infrastructure includes domains and sub-domains that impersonate Myanmar outlets (e.g., Images.myanmarnewsonline.org, Update.hilifimyanmar.com) and associated IPs (154.204.26.120, 45.134.83.4).
  • PlugX is deployed via a heavily obfuscated loader that decrypts and loads the implant in memory, with dynamic API resolution and decompression steps involved.
  • Defensive notes include a Mustang Panda–targeted YARA rule to detect the DLL artifact and observed MITRE ATT&CK techniques such as domain infrastructure use, obfuscation, and DLL side-loading.
  • IoCs include specific file hashes and domain/IP indicators linked to the operation (e.g., Service Log.rar, HP.rar, and related C2 domains).

MITRE Techniques

  • [T1583.001] Acquire Infrastructure: Domains – “embedded configurations revealed a set of command-and-control (C2) domains that masquerade as Myanmar news outlets.”
  • [T1027] Obfuscated Files or Information – “The DLL loader is heavily obfuscated and employs dynamic API resolution upon runtime.”
  • [T1036.005] Masquerading: Match Legitimate Name or Location – “files followed a naming convention designed to make them appear to be legitimate utilities relating to Hewlett-Packard (HP) printers.”
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – “side-loads the DLL by abusing the DLL search order … loads a malicious DLL loader in a specific set order.”

Indicators of Compromise

  • [File] SHA256 – 843709a59f12ff7aa06a5837be7a1a93fdf6f02f99936af6658c166e8abcaa2d (Service Log.rar), 0f3ec2a01ae57c7dd2bb8f130f0f2d1c20fcb397e5b8bbff491517b6d179919e (HP.rar), 558cbbcb969fe2fa3f1c74c376e307efcdbe3bad7497095619927edd5762363a (HP ColorLaserJet.rar)
  • [Domain] Update.hilifimyanmar.com – C2
  • [Domain] Download.hilifimyanmar.com – C2
  • [Domain] Images.myanmarnewsonline.org – C2
  • [Domain] www.myanmarnewsonline.org – C2
  • [IP] 154.204.26.120 – C2
  • [IP] 45.134.83.4 – C2

Read more: https://blogs.blackberry.com/en/2022/10/mustang-panda-abuses-legitimate-apps-to-target-myanmar-based-victims

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint