The article discusses a malware analysis report linking the Mustang Panda/Red Delta threat actor to various cyber espionage activities targeting governmental and non-governmental organizations across multiple countries since 2014. Through the analysis, several indicators of compromise (IoCs) and connections between different domains and ASNs were identified, leading to further insights into the infrastructure used by this group. Affected: Mustang Panda, Red Delta, governmental and non-governmental organizations, cybersecurity sector
Keypoints :
- Mustang Panda is a China-based cyber espionage group active since at least 2014.
- The group targets government entities, nonprofits, and other organizations in multiple countries.
- An analysis linked malware to the Mustang Panda group through various IoCs.
- Initial findings led to domain discovery, notably jpkinki.com.
- Pivots revealed multiple related domains and IPs associated with PlugX malware.
- ASN analysis showed specific ASNs favored by the threat actor for infrastructure deployment.
- Detailed investigation involved host response banners and JARM fingerprints.
- Findings indicated potential overlaps with APT41, another threat actor.
- The article emphasizes the effectiveness of tools like Validin for threat hunting and incident response.
MITRE Techniques :
- TA0040: Discovery – Utilized domain and IP analysis to discover underlying infrastructure.
- TA0041: Command and Control – Identified usage of PlugX malware, showcasing mechanisms for persistent C2 communication.
- TA0042: Credential Access – Analysis indicates potential strategies for obtaining access to government entities and sensitive data.
Indicator of Compromise :
- [Domain] jpkinki[.]com
- [IP Address] 139.180.192[.]163
- [IP Address] 45.133.239[.]188
- [Hash] 07d0bd16d21d21d07c07d0bd07d21dd7fc4c7c6ef19b77a4ca0787979cdc13
- [Header Hash] d7001d5eaca56712100c
Full Story: https://www.validin.com/blog/hunting_pandas/