January 30, 2024 at 09:34AM
Mustang Panda, a China-based threat actor, is suspected of targeting Myanmar’s Ministry of Defence and Foreign Affairs in two campaigns using backdoors and remote access trojans. The group has been active since 2012 and has targeted Southeast Asian governments and the Philippines. The attacks involve phishing emails, rogue DLLs, and disguised C2 traffic mirroring Microsoft updates.
Key takeaways from the meeting notes:
1. The China-based threat actor Mustang Panda targeted Myanmar’s Ministry of Defence and Foreign Affairs in separate campaigns in November 2023 and January 2024, deploying backdoors and remote access trojans.
2. The attacks involved the use of legitimate software, such as a binary developed by engineering firm Bernecker & Rainer (B&R) and a component of the Windows 10 upgrade assistant to sideload malicious dynamic-link libraries (DLLs).
3. Mustang Panda, also known by various other names, has been attributed to recent attacks targeting a Southeast Asian government and the Philippines, deploying backdoors capable of harvesting sensitive information.
4. The attack techniques include phishing emails with booby-trapped ZIP archives, the use of rogue DLL files susceptible to DLL search order hijacking, and the disguise of command-and-control (C2) traffic as Microsoft update traffic.
5. The threat actor also employed an optical disc image in a recent campaign to trigger a multi-stage process likely deploying PlugX from a now-inaccessible C2 server.
6. The Stately Taurus operations aligned with Chinese government interests and were linked to cyberespionage operations against Myanmar in the past.
These takeaways provide a clear summary of the notable points discussed in the meeting regarding the cyber espionage activities attributed to Mustang Panda against Myanmar.