Posted on November 21, 2022 at 8:59 AM
Researchers at Trend Micro have warned that China-backed hackers are planting malware on government networks through Google Drive.
The threat actors are taking part in different spearphishing campaigns that are delivering malware to specific locations like research areas, government networks, as well as academic organizations. The researchers stated that the activities of the threat actors peaked between March and October this year.
The Threat Actors Have Been Linked To The Mustang Panda Group
During their investigation, the security researchers say they believe that the Mustang Panda is the threat group responsible for hacking activities.
The group, according to Trend Micro researchers, generally targets organizations located in places like Japan, Taiwan, Australia, and the Philippines.
The threat actors have also been discovered utilizing popular Google accounts to carry out their hacking activities and release targets in emails. They try to lure their targets into installing custom malware via links from Google Drive.
Trend Micro researchers have also provided more details about the activities of the hackers. According to their research, the threat actors use messages linked to geopolitical themes and most of the targets were government agencies and institutions.
The researchers noted that the threat actors are also using sophisticated tools that enable them to bypass all kinds of security protocols on the targeted systems. Their links usually point to folders on Dropbox or Google Drive. As a result, security mechanisms are less suspicious of any malware activity since both platforms have the reputation of being secure.
Several of those links connect to files that were stored in RAR or compressed ZIP formats and carry various malware strains like PubLoad and ToneShell.
The Campaign Use More Sophisticated Tools
The security researchers are also exposing how the campaigns have some of the attacking methods of the Mustang Panda group that experts warned against in September this year. However, the recent campaign is slightly different because it shows signs of improved toolsets compared to the tools used by Mustang. They can swiftly expand their attack horizon. According to the researchers, the group has increased its potency and ease of attacks on several organizations, which makes them very dangerous.
At the beginning of the year, Proofpoint researchers reported a campaign by Mustang Panda where the group concentrated on operations in Europe. The threat group was discovered targeting diplomats with high rankings in some European countries.
In another report, the researchers alerted organizations and the public about a Mustang Panda initiative targeting Russian officials.
Then in March, the same threat group was discovered carrying out operations in places like Africa and Southeast Asia, as well as the southern parts of Europe. The group’s exploits in these countries made them more popular, and since then, security researchers have been monitoring their activities. The latest discovery is evidence that the threat group also can tweak its attack tools and methods to hide from the prying eyes of cybersecurity companies.
While the threat actors utilized various malware loading methods, the process generally involves DLL side-loading when the target launches an executable present in the archives.
The Threat Actors Evolve Malware In Their Operation
The researchers have also discovered that hackers are now evolving their operations with different types of malware from the same strain. The three malware strains used in the campaign are ToneShell, ToneIns, and PubLoad. Out of these three malware strains, only PubLoad has been documented in the past in a Cisco Talos report earlier in May this year. The report described campaigns against European targets.
The PubLoad malware strain ensures persistence by creating scheduled tasks and adding registry keys. It also handles command and control (C2) communications and decrypts shellcode.
Trend Micro revealed that the PubLoad versions have more complex anti-analysis systems, which means that Mustang Panda is seriously working to improve the tool’s efficacy.
ToneShell is a standalone backdoor that is loaded directly in memory, and features code flow obfuscation by implementing custom exception handlers.
On the other hand, ToneIns is an installer for ToneShell, which is the main backdoor utilized in the campaign. It evades detection and loads ToneShell while establishing a high level of persistence in the victim’s computer.
It is highly active and can be used as an anti-sandbox tool since the backdoor will not execute in a debugging environment.
ToneShell delivers a package with the victim ID data after connecting to the C2 server. It waits for the C2 o issue new instructions such as allowing uploads, executing files, or downloading important files to the server.