Mustang Panda deploys evasive, multi-stage malware for intelligence gathering (Attack Anatomy)

Mustang Panda is believed to be a Chinese state-sponsored threat actor operating since at least 2012 specializing in cyber espionage. 

The malware and precise techniques that Mustang Panda uses have shifted over time and from one campaign to another. However, their overall strategy of using multi-stage malware and DLL Side-Loading, and their preferred malware—PlugX—have stayed relatively constant for the last decade.

This is the fourth article in our Attack Anatomy series, which examines a cyberattack or a threat actor through the lens of the MITRE ATT&CK framework. 

Like other posts in the Attack Anatomy series, this article overviews the techniques used by Mustang Panda and maps them to Hack The Box (HTB) resources for teams to gain hands-on experience with attacking and defending.

When my manager tasked me with creating a lab based on a real-world APT campaign, I immediately thought of Mustang Panda.

Their attacks, while being highly relevant in the current landscape, are based on a few fundamental principles that can be easily demonstrated in a beginner-focused training program.

To this end, I chose to simplify the malware development stage by disabling some common protections typically enabled on production systems, in order to keep the focus on the attack vector itself and the way users are manipulated into executing the payload.

I believe this approach is particularly beneficial for beginners, as it offers an insight into how threat actors think and operate without overwhelming them with technical details. 

 

polarbearer, (lab creator of HorsePanda)

As soon as I learned about the Mustang Panda simulation, I started researching their techniques and found their initial access method particularly intriguing.

This led me to think about other fascinating attacker strategies, and the Uroburos rootkit—my previous simulation—came to mind.

I developed a Sherlock scenario combining these two unique attacker techniques, allowing players to create detection rules in their environments to identify similar threats in the future. 

 

Kartik Durg (iamr007), Defensive Content Engineer (lab creator of HorsePanda -D)

Inside Mustang Panda attack campaigns

Note💡: While we have a pretty good idea of the techniques and tools that Mustang Panda has used during their attacks, we are not certain and not everything has been confirmed by affected parties. So, this anatomy is alleging these techniques based on public reporting. 

Initial access

Historically, Mustang Panda has commonly used spear phishing attacks to gain initial access to a target environment. These attacks commonly involve phishing emails containing Google Drive links with pretexts tied to current events. 

For example, the Blackberry Research and Intelligence Team reported an attack campaign in December 2022 involving a malicious archive file titled “Political Guidance for the new EU approach towards Russia.rar” (MITRE ATT&CK Spearphishing Attachment).

Source

A 2023 attack campaign reported by Trend Micro used infected USB drives to access new environments. This campaign employed the HIUPAN worm to infect a computer and spread itself to any other removable drives connected to that system (ATT&CK Replication Through Removable Media). 

The attack then downloaded the PUBLOAD malware from the attacker’s command and control (C2) server to set up the next stage of the attack.

Malware download

Depending on the attack campaign, Mustang Panda may include different types of files within its spear-phishing email or infected USB drive. Some payloads include an archive file, such as RAR, ZIP, or others, containing several files. 

One of these is typically an LNK (shortcut) file pointing to a legitimate executable within the archive. These LNK files often use double extensions to appear to be the document indicated by the malicious email. 

For example, a document might be named Doc.docx.exe but appear to be Doc.docx if the user has extensions hidden in Windows Explorer. When a user opens the document, the indicated executable is run instead (ATT&CK User Execution: Malicious File).

The group has also used .url attachments on a phishing email (ATT&CK Phishing: Spearphishing Link). Clicking these will cause the user’s browser to visit a malicious webpage and download a malicious payload, including similar contents to the archive file used in other campaigns.

DLL sideloading

Mustang Panda’s preferred attack chain uses DLL Side-Loading (ATT&CK Hijack Execution Flow DLL Side-Loading) to conceal the presence of their malware. 

This technique takes advantage of the order in which the Windows OS looks for a DLL when an executable attempts to load it. 

The first place the OS checks is the folder where the executable is located, meaning that any malicious DLL files stored alongside a legitimate executable will get loaded into and run by the legitimate program.

Mustang Panda payloads commonly contain a legitimate Windows executable, such as UsbConfig.exe. They will also contain a malicious version of an actual DLL file used by that executable, such as u2ec.dll. When the user opens the malicious executable, their OS executes the legitimate program, which then loads the malicious DLL.

This technique helps to cover the attacker’s tracks, since the legitimate executable is what appears when a user or administrator examines all the running processes in Windows Task Manager. However, the malicious code is still running, just behind the scenes.

Multi-stage malware infection

Generally, Mustang Panda’s attacks involve multi-stage malware with various capabilities. Typically, this involves an initial malicious program that downloads and runs others. 

The attack chain includes code that decodes malware that was downloaded as or stored in an encrypted form to evade detection (MITRE ATT&CK Obfuscated Files or Information).

While the overall structure of the attack chain remains fairly constant, the malware Mustang Panda uses in their attacks can vary. For example, a different spear-phishing campaign that Trend Micro observed in June 2024 involved the following malware:

• DOWNBAIT: Digitally-signed downloader malware (ATT&CK Subvert Trust Controls: Code Signing) that is downloaded from a .url attachment in an email.

• PULLBAIT: Shellcode malware downloaded by DOWNBAIT and executed in memory (ATT&CK Process Injection) to prevent it from being detected on disk. This malware goes on to download CBROVER.

• CBROVER: Backdoor malware used to download PlugX. 

• PlugX: PlugX is a modular remote access trojan (RAT). The core malware grants the attacker remote control over the device and can download additional modules to add other desired features.

• FILESAC: File collector tool that collects and exfiltrates document and image files after compressing them into an archive file (ATT&CK Archive Collected Data).

Other campaigns use different collections of malware, including Cobalt Strike (pentesting tool with potential for malicious uses), PUBLOAD (downloader and network mapper), FDMTP (downloader), and PTSOCKET (exfiltration). 

However, most campaigns use PlugX, even if the collection of loaders and stagers the attackers used to deliver it may vary from one campaign to the next.

Prepare for emerging threats with HTB

Hack The Box’s workforce development programs map to frameworks like MITRE ATT&CK, MITRE D3FEND, and NIST NICE, providing hands-on experience with various techniques. 

Instead of just reading about how a technique works, security teams can perform or defend against the attack in a realistic environment. This leads to a deeper understanding and an enhanced ability to manage threats within their enterprise environments.

Book a demo

Free trial