Threat Research

Mustang Panda’s Hodur: Old tricks, new Korplug variant

Securonix

Researchers at ESET uncovered an ongoing Mustang Panda operation using a new Korplug variant, Hodur, noted for its aggressive anti-analysis and memory-only loading chain. The campaign uses European-current-events decoys to target diplomatic missions, research entities, and ISPs across multiple countries, with a heavy emphasis on loaders and the Korplug backdoor. #MustangPanda #Hodur

Keypoints

  • Mustang Panda is attributed to a new Korplug variant named Hodur, resembling the THOR variant documented earlier, with strong anti-analysis and obfuscation at every deployment stage.
  • The campaign has been active since at least August 2021 and was still ongoing as of March 2022, targeting diplomatic missions, research entities, and ISPs across multiple countries.
  • Decoy documents are frequently updated to reflect current European events (e.g., EU regulations, Ukraine-Russia context) to lure victims.
  • A custom loader delivers Korplug (PlugX) payloads via a trident pattern (legitimate executable, downloader, malicious module, encrypted Korplug), often using DLL side-loading.
  • Deployment includes encrypted and obfuscated components, with RC4 and XOR-based configuration encryption, plus opaque predicates and encrypted Windows API calls.
  • The Hodur backdoor uses a two-group C2 command structure (0x1001 and 0x1002) for reconnaissance and RAT functionality, with RC4-encrypted, LZNT1-compressed payloads and a custom TCP protocol.

MITRE Techniques

  • [T1583.001] Acquire Infrastructure: Domains – Mustang Panda has registered domains for use as download servers. “Mustang Panda has registered domains for use as download servers.”
  • [T1583.003] Acquire Infrastructure: Virtual Private Server – Some download servers used by Mustang Panda appear to be on shared hosting. “Some download servers used by Mustang Panda appear to be on shared hosting.”
  • [T1583.004] Acquire Infrastructure: Server – Mustang Panda uses servers that appear to be exclusive to the group. “Servers that appear to be exclusive to the group.”
  • [T1587.001] Develop Capabilities: Malware – Mustang Panda has developed custom loader and Korplug versions. “developed custom loader and Korplug versions.”
  • [T1588.006] Obtain Capabilities: Vulnerabilities – Multiple DLL hijacking vulnerabilities are used in the deployment process. “Multiple DLL hijacking vulnerabilities are used in the deployment process.”
  • [T1608.001] Stage Capabilities: Upload Malware – Malicious payloads are hosted on the download servers. “Malicious payloads are hosted on the download servers.”
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Windows command shell is used to execute commands sent by the C&C server. “Windows command shell is used to execute commands sent by the C&C server.”
  • [T1106] Native API – Mustang Panda uses CreateProcess and ShellExecute for execution. “uses CreateProcess and ShellExecute for execution.”
  • [T1129] Shared Modules – Mustang Panda uses LoadLibrary to load additional DLLs at runtime. The loader and RAT are DLLs. “loads additional DLLs at runtime. The loader and RAT are DLLs.”
  • [T1204.002] User Execution: Malicious File – Mustang Panda relies on the user executing the initial downloader. “relies on the user executing the initial downloader.”
  • [T1574.002] Hijack Execution Flow: DLL Side-Loading – The downloader obtains and launches a vulnerable application so it loads and executes the malicious DLL that contains the second stage. “loads and executes the malicious DLL that contains the second stage.”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Korplug can persist via registry Run keys. “.”
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Korplug can persist by creating a scheduled task that runs on startup. “Scheduled Task”
  • [T1140] Deobfuscate/Decode Files or Information – The Korplug file is encrypted and only decrypted at runtime, and its configuration data is encrypted with XOR. “encrypted and only decrypted at runtime…encrypted with XOR.”
  • [T1564.001] Hide Artifacts: Hidden Files and Directories – Directories created during the installation process are set as hidden system directories. “Hidden files and directories.”
  • [T1564.003] Hide Artifacts: Hidden Window – Korplug can run commands on a hidden desktop. “hidden desktop.”
  • [T1070] Indicator Removal on Host – Korplug’s uninstall command deletes registry keys that store data and provide persistence. “uninstall command deletes registry keys.”
  • [T1070.004] Indicator Removal on Host: File Deletion – Korplug can remove itself and all created directories. “File Deletion.”
  • [T1070.006] Indicator Removal on Host: Timestomp – When writing to a file, Korplug sets the file’s timestamps to their previous values. “Timestomp.”
  • [T1036.004] Masquerading: Masquerade Task or Service – Scheduled tasks created for persistence use legitimate-looking names. “Masquerade Task or Service.”
  • [T1036.005] Masquerading: Match Legitimate Name or Location – File and directory names match expected values for the legitimate app that is abused by the loader. “Match Legitimate Name or Location.”
  • [T1112] Modify Registry – Korplug can create, modify, and remove registry keys. “Modify Registry.”
  • [T1027] Obfuscated Files or Information – Some downloaded files are encrypted and stored as hexadecimal strings. “Obfuscated Files or Information.”
  • [T1027.005] Obfuscated Files or Information: Indicator Removal from Tools – Imports are hidden by dynamic resolution of API function names. “Indicator Removal from Tools.”
  • [T1055.001] Process Injection: Dynamic-link Library Injection – Some versions of the Korplug loader inject the Korplug DLL into a newly launched process. “Process Injection.”
  • [T1620] Reflective Code Loading – Korplug parses and loads itself into memory. “Reflective Code Loading.”
  • [T1083] File and Directory Discovery – Korplug can list files and directories along with their attributes and content. “File and Directory Discovery.”
  • [T1082] System Information Discovery – Korplug collects extensive information about the system including uptime, Windows version, CPU clock rate, amount of RAM and display resolution. “System Information Discovery.”
  • [T1614] System Location Discovery – Korplug retrieves the system locale using GetSystemDefaultLCID. “System Location Discovery.”
  • [T1016] System Network Configuration Discovery – Korplug collects the system hostname and IP addresses. “System Network Configuration Discovery.”
  • [T1016.001] System Network Configuration Discovery: Internet Connection Discovery – The downloader pings Google’s DNS server to check internet connectivity. “Internet Connection Discovery.”
  • [T1033] System Owner/User Discovery – Korplug obtains the current user’s username. “System Owner/User Discovery.”
  • [T1124] System Time Discovery – Korplug uses GetSystemTime to retrieve the current system time. “System Time Discovery.”
  • [T1071.001] Application Layer Protocol: Web Protocols – Hodur can make the initial handshake over HTTPS. “Web Protocols.”
  • [T1095] Non-Application Layer Protocol – C2 communication is done over a custom TCP-based protocol. “Non-Application Layer Protocol.”
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – C2 communication is encrypted using RC4. “Encrypted Channel: Symmetric Cryptography.”
  • [T1008] Fallback Channels – The Korplug configuration contains fallback C2 servers. “Fallback Channels.”
  • [T1105] Ingress Tool Transfer – Korplug can download additional files from the C2 server. “Ingress Tool Transfer.”
  • [T1571] Non-Standard Port – When Hodur performs its initial handshake over HTTPS, it uses the same port as for the rest of the communication. “Non-Standard Port.”
  • [T1132.001] Data Encoding: Standard Encoding – Korplug compresses transferred data using LZNT1. “Data Encoding: Standard Encoding.”
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration is done via the same custom protocol used to send and receive commands. “Exfiltration Over C2 Channel.”

Indicators of Compromise

  • [SHA-1] context – sample indicators used in the Hodur campaign include Korplug loader and decrypted memory payloads. 69AB6B9906F8DCE03B43BEBB7A07189A69DC507B, 10AE4784D0FFBC9CD5FD85B150830AEA3334A1DE
  • [Filename] Korplug-related binaries and loaders – coreclr.dll, PotPlayer.dll, PowerDVD18.exe, Shellsel.ocx, SmadHook32.dll
  • [Filename] Decrypted Korplug (dumped from memory) – 10AE4784D0FFBC9CD5FD85B150830AEA3334A1DE
  • [Domain] Download servers / C2 domains – upespr[.]com, zyber-i[.]com, locvnpt[.]com
  • [IP] C2/download server IPs – 103.56.53[.]120, 154.204.27[.]181
  • [IP] Additional download server – 43.254.218[.]42, 45.131.179[.]179

Read more: https://www.welivesecurity.com/2022/03/23/mustang-panda-hodur-old-tricks-new-korplug-variant/