The threat actor tracked as Mustang Panda has refined its malware arsenal to include new tools in order to facilitate data exfiltration and the deployment of next-stage payloads, according to new findings from Trend Micro.
The cybersecurity firm, which is monitoring the activity cluster under the name Earth Preta, said it observed “the propagation of PUBLOAD via a variant of the worm HIUPAN.”
PUBLOAD is a known downloader malware linked to Mustang Panda since early 2022, deployed as part of cyber attacks targeting government entities in the Asia-Pacific (APAC) region to deliver the PlugX malware.
“PUBLOAD was also used to introduce supplemental tools into the targets’ environment, such as FDMTP to serve as a secondary control tool, which was observed to perform similar tasks as that of PUBLOAD; and PTSOCKET, a tool used as an alternative exfiltration option,” security researchers Lenart Bermejo, Sunny Lu, and Ted Lee said.
Mustang Panda’s use of removable drives as a propagation vector for HIUPAN was previously documented by Trend Micro in March 2023. It’s tracked by Google-owned Mandiant as MISTCLOAK, which it observed in connection with a cyber espionage campaign targeting the Philippines that may have commenced as far back as September 2021.
PUBLOAD is equipped with features to conduct reconnaissance of the infected network and harvest files of interest (.doc, .docx, .xls, .xlsx, .pdf, .ppt, and .pptx), while also serving as a conduit for a new hacking tool dubbed FDMTP, which is a “simple malware downloader” implemented based on TouchSocket over Duplex Message Transport Protocol (DMTP).
The captured information is compressed into an RAR archive and exfiltrated to an attacker-controlled FTP site via cURL. Alternatively, Mustang Panda has also been observed deploying a custom program named PTSOCKET that can transfer files in multi-thread mode.
Furthermore, Trend Micro has attributed the adversary to a “fast-paced” spear-phishing campaign that it detected in June 2024 as distributing email messages containing a .url attachment, which, when launched, is used to deliver a signed downloader dubbed DOWNBAIT.
The campaign is believed to have targeted Myanmar, the Philippines, Vietnam, Singapore, Cambodia, and Taiwan based on the filenames and content of the decoy documents used.
DOWNBAIT is a first-stage loader tool that’s used to retrieve and execute the PULLBAIT shellcode in memory, which subsequently downloads and runs the first-stage backdoor referred to as CBROVER.
The implant, for its part, supports file download and remote shell execution capabilities, alongside acting as a delivery vehicle for the PlugX remote access trojan (RAT). PlugX then takes care of deploying another bespoke file collector called FILESAC that can collect the victim’s files.
The disclosure comes as Palo Alto Networks Unit 42 detailed Mustang Panda’s abuse of Visual Studio Code’s embedded reverse shell feature to gain a foothold in target networks, indicating that the threat actor is actively tweaking its modus operandi.
“Earth Preta has shown significant advancements in their malware deployment and strategies, particularly in their campaigns targeting government entities,” the researchers said. “The group has evolved their tactics, […] leveraging multi-stage downloaders (from DOWNBAIT to PlugX) and possibly exploiting Microsoft’s cloud services for data exfiltration.”
