Stately Taurus (aka Mustang Panda / Earth Preta) is a decade-old APT that targeted ASEAN-region countries with two malware packages around March 4–5, 2024, during the ASEAN-Australia summit. WhoisXMLAPI’s analysis expands the campaign IoCs to 61 email-connected domains, 67 string-connected domains, and 19 IP addresses across multiple registrars and countries. #StatelyTaurus #MustangPanda #EarthPreta #Doplugs #WhoisXMLAPI
Keypoints
- The Stately Taurus campaign targeted ASEAN nations (Japan, Myanmar, the Philippines, Singapore) using two malware packages observed in early March 2024.
- IoCs include 8 subdomains, 13 domains (6 from the subdomains), and 15 IP addresses, expanded to 61 email-connected domains and 67 string-connected domains, plus 19 IPs overall.
- WHOIS bulk lookup found registrations across four registrars (NameCheap, NameSilo, Cool River Names LLC, Hosting Concepts) with domains registered from 2022–2024 and registrants spread across Iceland, the U.S., France, and the Netherlands.
- IP geolocation showed origins in seven countries (notably China, the U.S.) and hosting under eight ISPs, including XNNET LLC and others; several IPs may be unassigned.
- DNS lookups, reverse IP lookups, DNS history, and IP geolocation expanded connections to additional artifacts and web properties connected to Stately Taurus.
- Threat intel mapping links some IoCs to malware, C2 activity, phishing, and spam, illustrating multi-faceted cyber threat activity tied to the infrastructure.
- Initial IoCs consisted of eight subdomains, 13 domains, and 15 IPs, with later analysis revealing more than 130 connected artifacts.
MITRE Techniques
- [T1583] Acquire Infrastructure – Domain and IP infrastructure mapping through WHOIS, DNS, and geolocation to understand attacker hosting/registration; “The next step was to subject the 15 IP addresses tagged as IoCs to a bulk IP geolocation lookup, leading us to discover that…”
- [T1583.001] Domain Registration – Domain registrations spread across registrars; “Four registrars administered them—NameCheap, Inc. with six domains; NameSilo LLC with five domains; and Cool River Names LLC and Hosting Concepts with one domain each.”
- [T1583.002] IP Address Resources – IPs geolocated across seven countries and managed by eight ISPs; “The IP addresses were geolocated across seven countries. Seven originated from China; three from the U.S.; and one IP address each from Malaysia, Singapore, Spain, India, and Australia. They were controlled by eight ISPs.”
- [T1071.001] Web Protocols – C2/Malware/Phishing activity tied to IoCs; “IP ADDRESSES … ASSOCIATED THREAT TYPES … 103[.]28[.]91[.]193 Malware; 3[.]64[.]163[.]50 C2 Phishing Malware Spam”
- [T1566.001] Phishing – Explicitly listed as an associated threat type for certain IoCs; “3[.]64[.]163[.]50 … C2 Phishing Malware Spam”
- [T1016] System Network Configuration Discovery – DNS lookups on IoCs to obtain IP resolutions; “DNS lookups on the seven domains and eight subdomains tagged as IoCs to obtain their IP resolutions.”
Indicators of Compromise
- [Domains] – IoCs include 8 subdomains and 13 domains; 61 email-connected domains and 67 string-connected domains are also linked to IoCs
- [IP Addresses] – 19 total IoCs; samples: 103.28.91.193 and 3.64.163.50 (from a table listing associated threat types)
- [Emails] – 38 email addresses found in historical WHOIS records, 8 of which were public
- [Strings] – 67 string-connected domains; examples include strings like starts with electric and contains tulsa, iviber, meet with viber, getfiledown, getfilefox, estmongolia, openservername, nerdnooks, daydreamdew, comsnews, bonuscave, markplay.
- [Other/Related IoCs] – DNS lookups and reverse IP lookups expanded the web properties connected to Stately Taurus; Threat Intelligence API links reveal malware/C2/phishing/spam associations
Read more: https://circleid.com/posts/20240524-stately-taurus-apt-group-targets-asian-countries