Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Germany, Mongolia, Myanmar, Pakistan, and Vietnam, among others.[1][2][3]

ID: G0129
Associated Groups: TA416, RedDelta, BRONZE PRESIDENT
Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet
Version: 1.0
Created: 12 April 2021
Last Modified: 25 April 2021

Associated Group Descriptions

Name Description
TA416

[4]

RedDelta

[5]

BRONZE PRESIDENT

[3]

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

Mustang Panda have acquired C2 domains prior to operations.[3][5][6]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Mustang Panda has communicated with its C2 via HTTP POST requests.[2][3][5][6]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.[3][7]

.003 Archive Collected Data: Archive via Custom Method

Mustang Panda has encrypted documents with RC4 prior to exfiltration.[7]

Enterprise T1119 Automated Collection

Mustang Panda used custom batch scripts to collect files automatically from a targeted system.[3]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Mustang Panda has created the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU to maintain persistence.[4]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Mustang Panda has used malicious PowerShell scripts to enable execution.[1][2]

.003 Command and Scripting Interpreter: Windows Command Shell

Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.[2][7]

.005 Command and Scripting Interpreter: Visual Basic

Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.[1][2][3]

Enterprise T1074 .001 Data Staged: Local Data Staging

Mustang Panda has stored collected credential files in c:\windows\temp prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.[3][7]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Mustang Panda has encrypted C2 communications with RC4.[5]

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

Mustang Panda's custom ORat tool uses a WMI event consumer to maintain persistence.[3]

Enterprise T1052 .001 Exfiltration Over Physical Medium: Exfiltration over USB

Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.[7]

Enterprise T1203 Exploitation for Client Execution

Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code.[1]

Enterprise T1083 File and Directory Discovery

Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.[7]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Mustang Panda's PlugX variant has created a hidden folder on USB drives named RECYCLE.BIN to store malicious executables and collected data.[7]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.[2][5][4]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.[3]

Enterprise T1105 Ingress Tool Transfer

Mustang Panda has downloaded additional executables following the initial infection stage.[5]

Enterprise T1036 Masquerading

Mustang Panda has used an additional filename extension to hide the true file type.[1][2]

.005 Match Legitimate Name or Location

Mustang Panda has used 'adobeupdate.dat' as a PlugX loader, and a file named 'OneDrive.exe' to load a Cobalt Strike payload.[5]

Enterprise T1027 Obfuscated Files or Information

Mustang Panda has delivered initial payloads hidden using archives and encoding measures.[1][2][3][5][4]

.001 Binary Padding

Mustang Panda has used junk code within their DLL files to hinder analysis.[7]

Enterprise T1003 .003 OS Credential Dumping: NTDS

Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used reg save on the SYSTEM file Registry location to help extract the NTDS.dit file.[3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Mustang Panda has used spearphishing attachments to deliver initial access payloads.[5][4]

.002 Phishing: Spearphishing Link

Mustang Panda has delivered spearphishing links to their target.[6]

Enterprise T1057 Process Discovery

Mustang Panda has used tasklist /v to determine active process information.[7]

Enterprise T1219 Remote Access Software

Mustang Panda has installed TeamViewer on targeted systems.[3]

Enterprise T1091 Replication Through Removable Media

Mustang Panda has used a customized PlugX variant which could spread through USB connections.[7]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.[2][3][6]

Enterprise T1218 .004 Signed Binary Proxy Execution: InstallUtil

Mustang Panda has used InstallUtil.exe to execute a malicious Beacon stager.[2]

.005 Signed Binary Proxy Execution: Mshta

Mustang Panda has used mshta.exe to launch collection scripts.[3]

Enterprise T1518 Software Discovery

Mustang Panda has searched the victim system for the InstallUtil.exe program and its version.[2]

Enterprise T1082 System Information Discovery

Mustang Panda has gathered system information using systeminfo.[7]

Enterprise T1016 System Network Configuration Discovery

Mustang Panda has used ipconfig and arp to determine network configuration information.[7]

Enterprise T1049 System Network Connections Discovery

Mustang Panda has used netstat -ano to determine network connection information.[7]

Enterprise T1204 .001 User Execution: Malicious Link

Mustang Panda has sent malicious links directing victims to a Google Drive folder.[1][6]

.002 User Execution: Malicious File

Mustang Panda has sent malicious files requiring direct victim interaction to execute.[1][2][7][5]

Enterprise T1047 Windows Management Instrumentation

Mustang Panda has executed PowerShell scripts via WMI.[2][3]

Software

ID Name References Techniques
S0154 Cobalt Strike [1][2][3][5][6] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: JavaScript, Commonly Used Port, Create or Modify System Process: Windows Service, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Man in the Browser, Modify Registry, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: Security Account Manager, Process Discovery, Process Injection, Process Injection: Process Hollowing, Process Injection: Dynamic-link Library Injection, Protocol Tunneling, Proxy: Internal Proxy, Query Registry, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Subvert Trust Controls: Code Signing, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0590 NBTscan [3] Network Service Scanning, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0013 PlugX [1][2][3][7][5] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Modify Registry, Multiband Communication, Native API, Network Share Discovery, Non-Application Layer Protocol, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0012 PoisonIvy [1][5] Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit

References