The actor with danger associated with China, known as Mustang Panda, is attributed to a cyber attack targeting an unspecified organization in Myanmar, with a constant effort by the danger actors to enhance the refinement and effectiveness of his dirt, with an already unaffected tooling.
This includes the updated version of a known backdore TonshellAlso a new lateral movement equipment referred to Starproxy, two keyloggers as codenmed baking, corlogue, and an endpoint detection and response (EDR) stolen driver Splashy,
“Tonshell, a back door used by Mustang Panda has been updated to its focalce-command-control (C2) communication protocol as well as methods of creating and storing client identifiers,” Juskeler said in two-part analysis.
The Mustang Panda, also known as Basin, Bronze President, Camero Dragon, Earth Preeta, Honeymite and Redelta, is at least a China-based state-provided danger actor has active since 2012.
Governments, military institutions, minority groups and non-governmental organizations (NGOs) are mainly known for their attacks on the group, and to some extent in Europe, and to some extent in Europe, the group has a history of availing DLL side-loading techniques to provide plugx malware.
However, from the end of 2022, the orchestrated campaigns by Mustang Panda have often begun to distribute a Bispoke Malware family called Tonshell, designed to download the next-stage payload.
ZSCAler said that it discovered three new variants of malware that come with different levels of sophistication –
- version 1Who acts as a simple reverse shell
- version 2Which includes the functionality of downloading DLL from C2 and executing DLLs in valid processes (eg, svchost.exe)
- Version 3Which includes functionality for downloading files and creating a sub-process to execute the command received from the remote server through Custom TCP-based protocols
A new piece of software connected to Mustang panda is Starproxy, which has been launched via DLL side-loading and is designed to avail the Faketls protocol for proxy traffic and facilitate the convenience of attacker.
“Once active, Starproxy allows the attackers for proxy traffic between infected equipment and their C2 server. Starprxy receives it to communicate with a custom Xor-based encryption algorithm to communicate through Faketls Protocol with C2 server using StarProxy TCP sockets. Is, “Singh said.
“Additionally, equipment uses command-line arguments to specify IP addresses and ports for communication, enabled the attackers to relay data through compromise machines.”
|
| Starproxy activity |
It is believed that Starproxy is deployed as a post-compromise tool to reach the internal workstation within a network that does not directly exposure to the Internet.
In addition, there are two new keyloggers, paklogs and corklogs, which are used to monitor keystrokes and clipboard data. The primary difference between the two is that the latter-48-toar stores the data captured in an encrypted file using the RC4 key and applies the firm mechanism by creating services or scheduled functions.
Both keyoglers lack their own data exflaction capabilities, which means they exist to collect completely keystroke data and write them in a specific location and that the actor uses other methods to transmit them to their infrastructure.
Caping the new addition to the Mustang Panda’s malware arsenal is a splacloka, a Windows kernel driver, deployed by Spletadropper, which is equipped with the EDR-related routine implemented by Windows Defender and Conscian, allowing it to allow to fly below the radar.
Singh said, “Mustang Panda performs a calculation approach to achieve its objectives.” “Continuous updates, new tooling, and layered obfuscation increase the operations of the group and improve the efficacy of attacks.”
UnC5221 targets new versions of the brickstorm
According to Belgian cybercity firm NVSo, this disclosure as a China-Naxus cyber espionage cluster called UNC5221 is associated with the use of a new version of brochstorm malware in attacks in windows environment in Europe called UnC5221.
The brickstorm is a gold backdor posted on Linux servers running Linux servers, against the Matter Corporation against the Matter Corporation against the first year, against the exploitation of zero-day, the Ivanti Connect connect connect connect to the first year-day weakens (CVE-2023-46805 and CVE-2024-21887).
Google Mandiant said in April 2024, “It supports the ability to operate itself as a web server, manipulate file system and directory manipulation, upload/download, run shell command, and file operations such as relaying socks.”
The newly identified Windows artifacts, also written in Go, provide the attackers with file manager and network tunning capabilities through a panel, enableing them to browse, make or remove files and create a tunnel network connections for lateral movement.
They also solve the C2 server via DNS-Over-AtTPS (DOH), and are engineers to avoid network-level defense such as DNS monitoring, TLS inspection and Jio-blocking.
“Windows samples [..] Command is not equipped with execution capabilities, “NVSO said.” Instead, in combination with legitimate credentials to misuse famous protocols such as RDP or SMB, it is seen to be anti -tunning capabilities, thus obtaining similar command execution. ,
