Two paragraphs summarize ongoing Chinese APT activity against EU governments and businesses, highlighting groups, tools, and defensive recommendations. The report details APT27, APT31, APT15, and Mustang Panda campaigns, including Linux and Windows backdoors and C2 methods, plus practical detection and response measures. Hashtags: #APT27 #SysUpdate #SysUpdateLinux #SoWaT #MQsTTang #MustangPanda #Turian #PlugX #HyperBro
Keypoints
- APTs described: APT27 (Lucky Mouse), APT31, APT15, and Mustang Panda targeting EU governments and organizations for political and strategic intelligence.
- APT27’s SysUpdate backdoor now targets Linux with features like information retrieval (Screenshots, System information) and multiple execution options, including a DNS-based C2 option.
- SysUpdate persistence on Linux is achieved via systemd (persistence through systemd).
- APt31’s SoWaT backdoor targets routers (MIPS) with covert C2 traffic handling and encryption to receive remote commands.
- Mustang Panda’s MQsTTang backdoor uses the MQTT protocol for C2 communications, indicating a network protocol-based control channel.
- Detection and response guidance emphasizes log collection, EDR, patching, assessments, backups, IR planning, and user awareness.
MITRE Techniques
- [T1113] Screen Capture – SysUpdate’s information retrieval includes Screenshots and System information. “Screenshots” quoted from the article.
- [T1082] System Information Discovery – SysUpdate retrieves system information. “System information” quoted from the article.
- [T1059] Command and Scripting Interpreter – SysUpdate execution options (Process/Service, File Manager, Remote Shell) indicate command execution capabilities. “Remote Shell” quoted from the article.
- [T1543.003] Create or Modify System Process – Linux persistence via systemd for SysUpdate. “establishes persistence through systemd” quoted from the article.
- [T1071.004] DNS – DNS-based C2 communications for SysUpdate. “Domain Resolution (DNS) traffic for its Command&Control communications” quoted from the article.
- [T1071] Command and Control – SoWaT backdoor uses complex and encrypted C2 traffic to enable covert control. “the complexity of the Command&Control traffic handling and encryption shows that this backdoor was designed for covert deployment” quoted from the article.
- [T1071] Command and Control – MQsTTang backdoor communicates via the MQTT Protocol for C2. “MQsTTang backdoor communicating via the MQTT Protocol” quoted from the article.
- [T1059] Command and Scripting Interpreter – Turian (Windows backdoor) implies command execution on Windows targets. Quote: “custom Windows backdoor called “Turian”” (context mentions Windows backdoor).
Indicators of Compromise
- [Hash] Hashes for the mentioned samples – e9c6e9aba10b5e26e578efc6105727d74fbd3a02450fbda2b4ee052b3fbbaecb, 1d60edb577641ce47dc2a8299f8b7f878e37120b192655aaf80d1cde5ee482d2, and 2 more hashes