Posted on March 25, 2022 at 8:07 AM
Cybercriminals are always looking for opportunities to launch their hacking campaign to steal or gain funds from their victims. At the peak of the Covid-19 pandemic, several cybersecurity reports emerged that threat actions against individuals and organizations have increased.
This time during the Ukraine crisis, the situation is still the same. More threat actions have been uncovered, and one of them is coming from a China-linked hacking group known as Mustang Panda.
According to security analysts, the threat group is carrying out a malicious campaign that has been running for not less than eight months. Now the researchers have discovered a new variant of the Korplug malware known as Hodur, which is distributed by the same threat group.
The Mustang Panda also tracked as TA416, is known to be associated with espionage and phishing attacks that have targeted European diplomats.
The Korplug custom malware is used by many threat actors, but not particularly used by the Mustang threat actors. The malware was first discovered in the wild in 2020 following a report that examined the activities of Chinese hackers against Australian targets.
In the latest exploit that used the malware, security firm ESET analyzed that the Mustang Panda threat group is more focused on research institutes, internet service providers (ISPs), and European diplomats. Their general modus operandi is through lures with fake documents, although they have started incorporating other strategies.
The Threat Group Has Continuously Updated Its Lures
The hackers have updated their lure several times since August 2021 when the campaign is believed to have started. They quickly jumped into the hacking train related to the Covid-19 when the pandemic was at its peak. Now, the group has changed its focus to campaigns linking Russia’s invasion of Ukraine. The report says although they are still very active, especially regarding Covid-19 travel restrictions, most of their formats now take advantage of the Ukraine crisis.
The targeted countries in the present campaign include Greece, Russia, Myanmar, Cyprus, Mongolia, Vietnam, South Sudan, and South Africa.
Target Scope Remain Unchanged
Mustang Panda’s target scope has remained unchanged since they started their campaign. However, the threat group has refocused its attention, refreshing its lures and upgrading its toolset. According to the ESET report, the group has deployed new Korplu variants and custom loaders. Although the variants still utilize DLL side-loading, new features have been added to ensure a much heavier obfuscation in the entire infection chain.
The encrypted Korplug as well as the malicious module are downloaded with a legitimate executable and a decoy document. These modules are now combined by the threat actors to avoid detection by security software.
The custom DLL takes advantage of the SmadAV file, which is the digitally-signed legitimate executable, to exploit a known bug for side-loading.
ESET noted that a majority of the functions the loader exploits are fake, except one that loads the new Korplu variant.
The Threat Group Can Become More Sophisticated
Although Korplug is a remote access trojan (RAT), its functionality has not been analyzed thoroughly since there are lots of variants created by each APT using the trojan.
However, ESET identified that the one utilized by Mustang Panda in the present campaign has similar features with the THOR, a PlugX variant discovered last year by researchers at Unit 42.
Based on the information known about the Korplug variant, it is decrypted in memory, but only an encrypted form has ever been written on the disk. Also, the variant contains encrypted strings while anti-execution measures exist and the Windows API function calls are obfuscated as well.
Adding a new registry entry to “Software\Microsoft\Windows\CurrentVersion\Run”, can achieve persistence, according to the report.
But the RAT aspect of Korplug spots the additions of this new version, where its authors have added more features and commands.
The Group Can Also Expand Its Target Scope
While explaining the malware, ESET added that the Mustang Panda group may improve on its operational methods and become more sophisticated in the future. The researchers say Mustang will continue to improve its toolkit, which will make them more potent and dangerous. As a result, users should be very cautious of phishing attempts that look very genuine, since this is their most common form of entry. Additionally, the group can expand its targeting scope, considering that it is a Chinese-sponsored threat group with high experience of cyber espionage.