China-linked actor Mustang Panda has been implicated in a cyber attack targeting a Philippine government entity amid rising tension between the two countries over the disputed South China Sea.
Palo Alto Networks Unit 42 attributed the adversarial collective to three campaigns in August 2023, which primarily selected organizations in the South Pacific.
“The campaigns used legitimate software including Solid PDF Creator and SmadavProtect (an Indonesia-based antivirus solution) to sideload malicious files,” the company said. SAYS.
“The threat authors also creatively configured the malware to impersonate legitimate Microsoft traffic for command and control (C2) connections.
Mustang Panda, also tracked under the names Bronze President, Camaro Dragon, Earth Preta, RedDelta, and Stately Taurus, is believed to be a Chinese advanced persistent threat (APT) active since 2012, orchestrating campaigns of cyber espionage targeting non-governmental organizations. (NGOs) and government bodies across North America, Europe, and Asia.
In late September 2023, Unit 42 also linked the actor’s threat to attacks aimed at an unnamed government in Southeast Asia to distribute a backdoor variant called TONESHELL.
The latest campaigns use spear-phishing emails to deliver a malicious ZIP archive file containing a rogue dynamic-link library (DLL) launched using a technique called DLL side-loading. The DLL then establishes contact with a remote server.
It is estimated that the Philippine government entity may have been compromised during a five-day period between August 10 and 15, 2023.
The use of SmadavProtect is a well-known tactic adopted by Mustang Panda in recent months, spreading malware apparently designed to bypass security solutions.
“Stately Taurus continues to demonstrate its ability to conduct continuous cyberespionage operations as one of the most active Chinese APTs,” the researchers said.
“These operations target various entities around the world that align with geopolitical topics of interest to the Chinese government.”
The disclosure comes as a South Korean APT actor named Higaisa was discovered targeting users in China through phishing websites impersonating well-known software applications such as OpenVPN.
“Once executed, the installer drops and runs Rust-based malware on the system, triggering shellcode,” Cyble SAYS late last month. “The shellcode performs anti-debugging and decryption operations. Afterwards, it establishes encrypted command-and-control (C&C) communication with a remote Threat Actor (TA).”