StarProxy
StarProxy is custom malware used by Mustang Panda as a post-compromise tool, to enable proxying of traffic between the infected machine and other machines on the same network. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | Command and Scripting Interpreter |
StarProxy has used the command line for execution of commands.[1] |
|
| Enterprise | T1001 | .003 | Data Obfuscation: Protocol or Service Impersonation |
StarProxy has utilized TLS record headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic. StarProxy used FakeTLS to communicate with its C2 server.[1] |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
StarProxy has decrypted network packets using a custom algorithm.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
StarProxy has leveraged two 256-byte XOR keys to encrypt and decrypt network packets using a custom algorithm.[1] |
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL |
StarProxy has been side-loaded by the legitimate, signed executable, IsoBurner.exe. [1] |
| Enterprise | T1106 | Native API |
StarProxy has used native windows API calls such as |
|
| Enterprise | T1095 | Non-Application Layer Protocol |
StarProxy has used TCP for C2 communications to target IPs or domains. StarProxy contained code to support both UDP and TCP connections.[1] |
|
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
StarProxy has proxied traffic between infected devices and their C2 servers.[1] |
| Enterprise | T1124 | System Time Discovery |
StarProxy has utilized the windows API call |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0129 | Mustang Panda |