Threat Research

Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda

Securonix

Unit 42 analyzes CL-STA-0044, a Stately Taurus–linked cyberespionage operation targeting a Southeast Asian government from 2021 through 2023, focusing on establishing long-term footholds and exfiltrating sensitive documents. The campaign leveraged ToneShell, ShadowPad, web shells, Cobalt Strike, and other tooling to maintain access and gather intelligence. #StatelyTaurus #MustangPanda #ToneShell #ShadowPad #CL-STA-0044

Keypoints

  • Attribution to the Chinese cyberespionage group Stately Taurus (aka Mustang Panda) for activity in a Southeast Asian government context, with CL-STA-0044 as the monitored cluster.
  • Use of ToneShell backdoor (undocumented variant) with a three-DLL architecture (persistence, networking, functionality) and DLL sideloading to load components into legitimate processes.
  • Extensive credential theft operations including Hdump, MimiKatz, and DCSync, plus theft of AD data (NTDS.dit) and boot key (SYSTEM).
  • Abuse of legitimate antivirus tooling (ERA Agent) to execute commands and install backdoors, using BAT files in a temp path.
  • Maintaining access via multiple backdoors and web shells, complemented by Cobalt Strike deployment and ShadowPad usage for modular functions.
  • Targeted exfiltration of documents through archiving (rar.exe) and uploading to Dropbox or cloud storage, with persistence scripts (autorun.vbs) to enable ongoing collection.

MITRE Techniques

  • [T1046] Network Service Discovery – The threat actor used LadonGo to scan for live hosts and open ports using commands like smbscan, pingscan and sshscan. “The threat actor used LadonGo to scan for live hosts and open ports using commands like smbscan, pingscan and sshscan.”
  • [T1016] System Network Configuration Discovery – NBTScan scanned IP networks for NetBIOS name information. “NBTScan is a program for scanning IP networks for NetBIOS name information.”
  • [T1033] Account Discovery – AdFind gathered information from Active Directory; results saved as Domain_users_light.txt, Domain_computers_light.txt, Domain_groups_light.txt. “The threat actor renamed the tool a.logs… as shown in Figure 2, the threat actor saved the results of AdFind to the following filenames: Domain_users_light.txt, Domain_computers_light.txt, Domain_groups_light.txt.”
  • [T1021] Remote Services – Impacket used to discover machines and users and query directories on remote machines for interesting files to exfiltrate. “Impacket: The threat actor used Impacket to gather information about the network, discover machines and users, and query directories on remote machines for interesting files to exfiltrate.”
  • [T1003] Credential Dumping – Hdump dumped credentials from memory; MimiKatz dumps credentials; DCSync retrieved DC credentials. “The threat actor deployed and used Hdump.exe … to dump credentials from memory.” “MimiKatz: The threat actor attempted to dump the memory of lssas.exe, using MimiKatz (named l.doc) to extract users’ credentials.” “The threat actor attempted to use MimiKatz’s DCSync feature…”
  • [T1003] NTDS – Theft of Ntds.dit from a shadow copy via Vssadmin; boot key (SYSTEM) to decrypt. “Stoles the Ntds.dit file … boot key.”
  • [T1218] Signed Binary Proxy Execution – Abuse of ERAAgent.exe to execute BAT files and run commands via the Run Command task. “ERAAgent.exe to execute BAT files with a naming pattern of …”
  • [T1574.001] DLL Side-Loading – ToneShell undocumented variant components load via DLL sideloading into legitimate processes. “toneShell … loaded into a different legitimate process via DLL sideloading.”
  • [T1543.003] Create or Modify System Process: Windows Service – ToneShell persistence component creates services like DISMsrv or scheduled tasks. “The persistence component will create two types of persistence: Service named DISMsrv … or Scheduled task TabletPCInputServices.”
  • [T1574.001] DLL Side-Loading – ShadowPad module (log.dll) loaded into BDReinit.exe via DLL sideloading. “ShadowPad … abused DLL sideloading to load the ShadowPad module (log.dll) into a legitimate executable (BDReinit.exe).”
  • [T1055] Process Injection – ShadowPad spawns and injects into wmplayer.exe and dllhost.exe. “ShadowPad then spawns and injects code into wmplayer.exe, which in turn spawns and injects code into dllhost.exe.”
  • [T1105] Ingress Tool Transfer (or remote download/upload) – ToneShell components enable file operations; RemCom is used to run remote commands and later rar.exe; Cobalt Strike usage via DLL sideloading. “The threat actor used RemCom to execute rar.exe remotely … deployed the Cobalt Strike agent under the name libcurl.dll.”
  • [T1071] Application Layer Protocol – C2 domain used for C2 communication. “The networking component uses the domain www.uvfr4ep[.]com for C2 communication.”
  • [T1056.001] Keylogging – Functionality component includes keylogging. “Functionality component capabilities include … Keylogging.”
  • [T1113] Screen Capture – Functionality component includes screen capturing. “Functionality component capabilities include … Screen capturing.”
  • [T1547.001] Boot or Logon Autostart – autorun.vbs persistence script placed in startup to persist. “autorun.vbs … saved in the startup directory.”
  • [T1560] Archive Collected Data – Exfiltration prepped by rar.exe archiving files. “Before exfiltration, the threat actor used rar.exe to archive the files of interest.”
  • [T1567.002] Exfiltration to Cloud Storage – Uploads to Dropbox. “Uploading the archived files to Dropbox, a file hosting service.”

Indicators of Compromise

  • [File Hash] CL-STA-0044 LadonGo indicators – 4a8b7cfb2e33aa079ba51166591c7a210ad8b3c7c7f242fccf8cb2e71e8e40d5, 12534f7014b3338d8f9f86ff1bbeacf8c80ad03f1d0d19077ff0e406c58b5133, 6868f5ce836034557e05c7ddea006a91d6fc59de7e235c9b08787bd6dbd2b837, and 2 more hashes
  • [Domain] Infrastructure domains – www.uvfr4ep[.]com, Feed-5613.coderformylife[.]info, and other domains
  • [IP Address] Network/C2 addresses – 45.64.184[.]189, 43.254.132[.]242, and 3 more IPs
  • [File Name] Related filenames used in data gathering – Domain_users_light.txt, Domain_computers_light.txt, Domain_groups_light.txt
  • [File Path] Likely persistence and operation paths – C:WindowsLogslogs, C:WindowsLogsfiles, and 8 more items

Read more: https://unit42.paloaltonetworks.com/stately-taurus-attacks-se-asian-government/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint