Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.[1][2][3]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Mustang Panda have acquired C2 domains prior to operations.[3][5][7] |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Mustang Panda has communicated with its C2 via HTTP POST requests.[2][3][5][7] |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.[3][8] |
.003 | Archive Collected Data: Archive via Custom Method |
Mustang Panda has encrypted documents with RC4 prior to exfiltration.[8] |
||
Enterprise | T1119 | Automated Collection |
Mustang Panda used custom batch scripts to collect files automatically from a targeted system.[3] |
|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Mustang Panda has created the registry key |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Mustang Panda has used malicious PowerShell scripts to enable execution.[1][2] |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.[2][8] |
||
.005 | Command and Scripting Interpreter: Visual Basic |
Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.[1][2][3] |
||
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Mustang Panda has stored collected credential files in |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Mustang Panda has encrypted C2 communications with RC4.[5] |
Enterprise | T1585 | .002 | Establish Accounts: Email Accounts |
Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.[6] |
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
Mustang Panda's custom ORat tool uses a WMI event consumer to maintain persistence.[3] |
Enterprise | T1052 | .001 | Exfiltration Over Physical Medium: Exfiltration over USB |
Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.[8] |
Enterprise | T1203 | Exploitation for Client Execution |
Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.[8] |
|
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Mustang Panda's PlugX variant has created a hidden folder on USB drives named |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.[2][5][4] |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.[3] |
Enterprise | T1105 | Ingress Tool Transfer |
Mustang Panda has downloaded additional executables following the initial infection stage.[5] |
|
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Mustang Panda has used names like |
.007 | Masquerading: Double File Extension |
Mustang Panda has used an additional filename extension to hide the true file type.[1][2] |
||
Enterprise | T1027 | Obfuscated Files or Information |
Mustang Panda has delivered initial payloads hidden using archives and encoding measures.[1][2][3][5][4][6] |
|
.001 | Binary Padding |
Mustang Panda has used junk code within their DLL files to hinder analysis.[8] |
||
Enterprise | T1003 | .003 | OS Credential Dumping: NTDS |
Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Mustang Panda has used spearphishing attachments to deliver initial access payloads.[5][4][9] |
.002 | Phishing: Spearphishing Link |
Mustang Panda has delivered malicious links to their intended targets.[7] |
||
Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
Mustang Panda has delivered web bugs to profile their intended targets.[6] |
Enterprise | T1057 | Process Discovery |
Mustang Panda has used |
|
Enterprise | T1219 | Remote Access Software |
Mustang Panda has installed TeamViewer on targeted systems.[3] |
|
Enterprise | T1091 | Replication Through Removable Media |
Mustang Panda has used a customized PlugX variant which could spread through USB connections.[8] |
|
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.[2][3][7] |
Enterprise | T1518 | Software Discovery |
Mustang Panda has searched the victim system for the |
|
Enterprise | T1608 | Stage Capabilities |
Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims.[6] |
|
.001 | Upload Malware |
Mustang Panda has hosted malicious payloads on DropBox including PlugX.[6] |
||
Enterprise | T1218 | .004 | System Binary Proxy Execution: InstallUtil |
Mustang Panda has used |
.005 | System Binary Proxy Execution: Mshta |
Mustang Panda has used mshta.exe to launch collection scripts.[3] |
||
Enterprise | T1082 | System Information Discovery |
Mustang Panda has gathered system information using |
|
Enterprise | T1016 | System Network Configuration Discovery |
Mustang Panda has used |
|
Enterprise | T1049 | System Network Connections Discovery |
Mustang Panda has used |
|
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.[1][7][6] |
.002 | User Execution: Malicious File |
Mustang Panda has sent malicious files requiring direct victim interaction to execute.[1][2][8][5][9][6] |
||
Enterprise | T1102 | Web Service |
Mustang Panda has used DropBox URLs to deliver variants of PlugX.[6] |
|
Enterprise | T1047 | Windows Management Instrumentation |
Mustang Panda has executed PowerShell scripts via WMI.[2][3] |