Threat Research

APT PROFILE – MUSTANG PANDA – CYFIRMA

Cyfirma

Mustang Panda, aka Bronze President, is a Chinese threat actor active since 2012 that targets governments and NGOs worldwide with sophisticated spear-phishing campaigns and PlugX-based intrusions. CYFIRMA highlights campaigns, exploited CVEs, and lures tied to current events, illustrating a pattern of geopolitical-focused information theft and espionage. #PlugX #HorseShell #WispRider #PoisonIvy #DOPLUGS #MQsTTang #MirrorFace #Sogu #MustangPanda #BronzePresident

Keypoints

  • Mustang Panda is a long-running Chinese threat actor active since 2012, with global targets including foreign governments and NGOs.
  • The group is notorious for sophisticated spear-phishing campaigns that use the target’s native language and impersonate government services.
  • Initial access commonly comes from meticulously researched phishing emails that resemble authentic documents for the targeted entities.
  • The PlugX remote access trojan (RAT) is a hallmark tool used by Mustang Panda to enable malicious activity.
  • Recent campaigns exploit CVEs such as CVE-2021-1675, CVE-2021-34527, and CVE-2021-40444.
  • SCR (screensaver) file extensions have been observed as a delivery method in at least one campaign.
  • Targets include APAC governments and MNNA countries, with lures tied to high-profile events and crises (COVID-19, summits, disasters).

MITRE Techniques

  • [T1566] Phishing – Spear-phishing campaigns using native language and impersonation of government services. “spear-phishing campaigns, which utilize the target’s native language and often impersonate government services.”
  • [T1203] Exploitation for Client Execution – CVEs exploited by Mustang Panda. “Recently Exploited Vulnerabilities by Mustang Panda CVE-2021-1675, CVE-2021-34527, CVE-2021-40444.”
  • [T1036.007] Masquerading – Impersonation of legitimate entities (government services) to decevie targets. “spear-phishing campaigns, which utilize the target’s native language and often impersonate government services.”
  • [T1204.001] User Execution – Delivery via an executable with a screensaver (SCR) extension used for initial infection. “employed an executable with a screensaver (SCR) file extension for initial infection.”
  • [T1573.001] Command and Control – Use of PlugX RAT to facilitate malicious activities and maintain control. “One of their hallmark techniques includes the use of the PlugX remote access trojan (RAT), a tool… to facilitate their malicious activities.”
  • [T1003.003] Credential Access – Mention of credential-related access patterns via backdoor tools (PlugX family and others). “The PlugX remote access trojan (RAT), a tool first identified… to facilitate their malicious activities.”

Indicators of Compromise

  • [Malware] PlugX family – PlugX, Horse Shell, WispRider, Poison Ivy, DOPLUGS, MQsTTang, MirrorFace, Sogu – observed as tools used by Mustang Panda.
  • [Vulnerabilities] CVE-2021-1675, CVE-2021-34527, CVE-2021-40444 – exploited vulnerabilities cited in recent campaigns.
  • [File Extension] SCR – an executable with a screensaver extension used for initial infection in at least one campaign.

Read more: https://www.cyfirma.com/research/apt-profile-mustang-panda/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint