Threat Research

Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2

ZScaler
Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2

This article provides a technical analysis of two new keyloggers (PAKLOG and CorKLOG) and an EDR evasion driver (SplatCloak) employed by Mustang Panda in their targeted attacks. It highlights the functionality and evasion techniques used by these tools, emphasizing their capabilities in keylogging, data encryption, and persistent evasion tactics against security measures. Affected: EDR systems, Windows Defender, Kaspersky, targeted individuals or organizations

Keypoints :

  • Mustang Panda has developed new keylogging tools named PAKLOG and CorKLOG, along with an EDR evasion driver called SplatCloak.
  • PAKLOG monitors keystrokes and clipboard data, using custom encoding to obfuscate logged data.
  • CorKLOG encrypts captured data with a 48-character RC4 key and maintains persistence through services or scheduled tasks.
  • SplatCloak disables essential Windows Defender and Kaspersky drivers by hinders kernel notifications and employs various obfuscation techniques.
  • The tools are delivered via RAR archives containing both legitimate binaries and malicious components for side-loading.
  • Mustang Panda shows continuous development of new tools and methodologies to enhance their operational security.

MITRE Techniques :

  • T1574.002 Hijack Execution Flow: DLL Side-Loading – All DLLs are sideloaded by legitimate signed Windows binaries.
  • T1056.001 Input Capture – Keylogging – PAKLOG captures user keystrokes in Windows.
  • T1115 Clipboard Data – PAKLOG captures clipboard contents when Ctrl + V is pressed.
  • T1027 Obfuscated Files or Information – PAKLOG uses simple encoding to obfuscate keystroke logs.
  • T1573.001 Symmetric Cryptography – The tools utilize XOR and RC4 encryption algorithms for data protection.
  • T1562.001 Impair Defenses: Disable or Modify Tools – SplatCloak has capabilities to disable monitoring callbacks of security tools like Windows Defender and Kaspersky.
  • TA0002 Execution – CorKLOG sets up a Scheduled Task for execution persistence.
  • T1569.002 System Services: Service Execution – CorKLOG and SplatCloak are registered as Windows services.

Indicator of Compromise :

  • [File] key.rar – RAR archive file containing malicious tools.
  • [File] pa_lang2.dll – This is PAKLOG, a Windows keylogger.
  • [File] PACLOUD.exe – Legitimate and signed binary associated with PAKLOG deployment.
  • [File] mscorsvc.dll – CorKLOG keylogger DLL.
  • [File] BugSplatHD64.exe – Legitimate binary used to execute SplatCloak through SplatDropper.

Full Story: https://www.zscaler.com/blogs/security-research/latest-mustang-panda-arsenal-paklog-corklog-and-splatcloak-p2

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint