Mustang Panda-linked actors are linked to a targeted campaign against Australia amid the AUKUS security pact, using a ZIP-based lure that delivers a DLL payload via DLL side-loading to achieve persistence and enable PlugX deployment. The operation highlights China’s perceived rapid cyber response to geopolitical events and notes a targeted Australian official, Senator Don Farrell, as a potential focus. #MustangPanda #AUKUS #DonFarrell #SolidPDFCreator #PlugX #Australia
Keypoints
- The AUKUS partnership includes cyber capabilities sharing, with some sources framing it as elevating deterrence of conventional capabilities.
- The US pledges $4.6 billion, Australia plans to buy subs and build eight nuclear submarines, with first readiness expected in 2042 and Congress still to approve some aspects.
- Australia’s move to terminate a France submarine contract and switch to nuclear submarines has drawn criticism from France and China, which call the deal destabilising and provocative.
- China warns of destabilisation and potential escalation in the region, signaling a broader geopolitical cyber dimension to the dispute.
- Lab52 flags Mustang Panda as a possible actor behind attacks on the Australian government and identifies a targeted campaign linked to Senator Don Farrell.
- A ZIP payload named after Senator Don Farrell’s profile contains a Legitimate-appearing executable and a malicious DLL, with persistence via DLL side-loading by the stager.
- The stager uses CMD to copy the DLL, adds a Run registry key, and creates a scheduled task to run the payload, showing explicit use of Windows tooling for persistence.
MITRE Techniques
- [T1574.002] DLL Side-Loading – Persistence is achieved through a Dll Side Loading by the stager. ‘Persistence is done through a Dll Side Loading by the stager.’
- [T1059.003] Windows Command Shell – The stager executes commands via cmd.exe to copy payloads, modify Run keys, and schedule tasks. ‘C:WindowsSysWOW64cmd.exe /C copy SolidPDFCreator.dll C:UsersPublicLibrariesPhotoTvRHDSolidPDFCreator.dll & reg add “HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun” /v SolidPDF /t reg_sz /d “C:UsersPublicLibrariesPhotoTvRHDSolidPDFCreator.exe” /F & schtasks /F /Create /TN SolidPDF /SC minute /MO 1 /TR C:UsersPublicLibrariesPhotoTvRHDSolidPDFCreator.exe’
- [T1036] Masquerading – The stager impersonates Microsoft update communications via a legitimate host header (www.asia.microsoft.com). ‘hardconding a legitimate host header www.asia.microsoft.com’
- [T1566.001] Phishing: Spearphishing Attachment – The campaign uses a ZIP named Biography of Senator the Hon Don Farrell.zip containing a suspicious executable, implying a targeted attachment delivery. ‘The zip drops two files. On the one hand, the legitimate application … Biography of Senator the Hon Don Farrell.exe’
- [T1071.001] Web Protocols – The stager communicates with a C2 address (123.253.35[.]231) in a web protocol-like flow. ‘… requesting against 123.253.35[.]231 as C2.’
Indicators of Compromise
- [IP address] C2 – 123.253.35[.]231
- [Domain] Web domain used for masquerade – www.asia.microsoft.com
- [File hash] – 4fbfbf1cd2efaef1906f0bd2195281b77619b9948e829b4d53bf1f198ba81dc5, e2acbc36c2cce4050e34033c12f766fea58b4196d84cf40e979fac8fed24c942, 3c4671b4a0c3e7da186bd356e07cf0daca7267addde668044b1ded42c6dbe09b, and 4 more hashes
- [File name] – Biography of Senator the Hon Don Farrell.zip, Biography of Senator the Hon Don Farrell.exe, and SolidPDFCreator.dll
Read more: https://lab52.io/blog/new-mustang-pandas-campaing-against-australia/