The cyber espionage group known as Mustang Panda, linked to China, has recently intensified its operations against organizations in Myanmar. This escalation involves the deployment of sophisticated tools such as updated versions of the TONESHELL backdoor, a novel lateral movement utility named StarProxy, two keyloggers referred to as PAKLOG and CorKLOG, and an Endpoint Detection and Response (EDR) evasion driver called SplatCloak.
TONESHELL Backdoor Enhancements
TONESHELL, a backdoor previously associated with Mustang Panda, has undergone significant updates. These enhancements include modifications to its FakeTLS command-and-control (C2) communication protocol and alterations in the methods for generating and storing client identifiers. The backdoor now exists in three distinct variants:
1. Variant 1: Functions as a straightforward reverse shell, allowing remote command execution.
2. Variant 2: Capable of downloading dynamic-link libraries (DLLs) from the C2 server and executing them by injecting the DLL into legitimate processes, such as `svchost.exe`.
3. Variant 3: Includes functionalities to download files and create subprocesses to execute commands received from a remote server via a custom TCP-based protocol.
Introduction of StarProxy
A notable addition to Mustang Panda’s toolkit is StarProxy, a tool designed to facilitate lateral movement within compromised networks. Launched through DLL side-loading, StarProxy utilizes the FakeTLS protocol to proxy traffic, thereby enabling attacker communications. Once activated, it allows attackers to relay data between infected devices and their C2 servers by establishing TCP sockets and encrypting all exchanged data with a custom XOR-based encryption algorithm. This tool is particularly effective in accessing internal workstations that are not directly exposed to the internet.
Deployment of Keyloggers: PAKLOG and CorKLOG
Mustang Panda has also been observed deploying two new keyloggers, PAKLOG and CorKLOG, aimed at monitoring keystrokes and clipboard data. While both tools serve similar purposes, CorKLOG distinguishes itself by storing captured data in an encrypted file using a 48-character RC4 key and implementing persistence mechanisms through the creation of services or scheduled tasks. Notably, both keyloggers lack inherent data exfiltration capabilities, suggesting that the threat actors employ additional methods to transmit the collected information to their infrastructure.
EDR Evasion with SplatCloak
To counteract security measures, Mustang Panda has introduced SplatCloak, a Windows kernel driver deployed via SplatDropper. This tool is specifically designed to evade Endpoint Detection and Response (EDR) systems, enhancing the group’s ability to maintain a foothold within compromised networks without detection.
Historical Context and Evolution
Active since at least 2012, Mustang Panda, also known by aliases such as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, and RedDelta, has a history of targeting governments, military entities, minority groups, and non-governmental organizations (NGOs), primarily in East Asia and, to a lesser extent, Europe. The group has been known for leveraging DLL side-loading techniques to deliver the PlugX malware. However, since late 2022, there has been a noticeable shift towards the deployment of the bespoke TONESHELL malware family, indicating an evolution in their operational tactics.
Implications and Recommendations
The continuous development and deployment of advanced tools by Mustang Panda underscore the persistent and evolving nature of cyber threats posed by state-sponsored actors. Organizations, particularly those in sectors historically targeted by Mustang Panda, should remain vigilant and adopt comprehensive cybersecurity measures. This includes regular system updates, employee training on recognizing phishing attempts, and the implementation of robust network monitoring to detect and mitigate potential intrusions.
