Mustang Panda Riding Across Country Lines


Mustang Panda Riding Across Country Lines

After you have watched this Webinar, please feel free to contact us with any questions you may have at


PRESENTER 1: So we are going to get started.

First off, thank you everyone for being here.

My name is [INAUDIBLE].

I'm a security analyst for Anomali, the threat research team, and this is my colleague.


I work as a [INAUDIBLE] with Anomali.

Yeah, that's our intro.

PRESENTER 1: Yes, so today we're going to presenting our findings on a Chinese APT campaign that we believe is being conducted by a group called Mustang Panda.

So to overview, the aim of this talk, we're going to answer three questions.

First off, who is Mustang Panda?

What is the malicious activity?

And what are the attribution points that make us think that this activity is being conducted by Mustang Panda?

Then we'll move into some analysis of our lure documents, which will help answer these questions.

Then we'll move into some C2 pivoting and see what kind of information that [INAUDIBLE]..

That'll be followed by some technical analysis and then by our closing thoughts and a Q&A.

So first off, Mustang Panda, who are they?

Well, they were first discovered by CrowdStrike in April 2017 when CrowdStrike started noticing some malicious activity from an apparent Chinese nexus that was targeting an unnamed unfortunately US-based think tank.

So this piqued the researchers' interest.

So they started looking more, and they found a unique infection chain, which appeared to be indicative of a previously undocumented threat group.

So they continued to analyze this activity, and then in June 2018, they published their findings on Mustang Panda.

And they noted that the group was particularly interested in activity in Mongolia as evident by their Mongolian-themed lures.

And the group also liked to target NGOs in addition to the think tanks.

They also noticed that the group demonstrated an ability to rapidly assimilate new tools and tactics into their operations according to CrowdStrike.

So the lure documents, here are some of the themes that we observed during this campaign.

The CPV is the Communist Party of Vietnam, and we notice specific targeting of certain provinces within Vietnam.

And we'll get into a little bit of that later.

We also notice the embassy of Vietnam in China, so again a regional interest in that area appears to be indicative of Chinese activity.

Also, again, we also noticed Mongolian lures, which again lines up with what CrowdStrike found as well as targeting of the police of the Sindh Province in Pakistan as well as a minority group, which is the largest minority group located in Myanmar, Burma.

There was also a non-profit organization, The China Center in Germany, which seems to align with the NGOs that the group was previously known to target.

Lastly, we saw a United Nations document, which was just pulled right out of the United Nations' digital library.

So this appears to be indicative of potential think tank targeting.

Again, we don't know, but it seems to be something that think tanks would be interested in.

So the first document, this one here, as you can see, is themed for the embassy of Vietnam in China.

And this document is interesting because it's basically issuing a warning to civilians regarding a military exercise on a specific set of coordinates as shown here.

So it was a warning to civilian ships.

Basically don't go here because we're running tests here.

And the tests involved a ice breaking ship called the Snow Dragon 2, and they mentioned August 15th as the beginning of a 35-day-- And here's the VT, virus total, submission date if you guys are curious.

Again this all seems to align in a regional interes.

With specificity with the document, they have the official logos and everything, so again it's a good or well thought out fishing lure, which appears to be APT activity.

So the next document is targeting the People's Committee of the Lang Son Province in Vietnam.

As you can see here, it borders China.

So the People's Committee is a-- I won't get into the political structures of the provinces in Vietnam, but what you should know is that the People's Committee is an executive branch.

So again governmental targeting seems to align with APT activity.

But what is particularly interesting is that the Lang Son Province is known for a history of trade.

Again, I won't get into the details, but hundreds if not thousands of years, this area has been known for trade between Vietnam and China.

There's also a history of bloodshed.

So again this area-- exports, imports, history of trade-- again is something that a government would probably be interested in.

Next, this is the Restoration Council of the Shan State, RCSS, also referred to as the Shan State Army.

So the Shan or the Shan Tai people make up the largest minority group in Myanmar or Burma.

They're located primarily in northwestern Burma and eastern and which is also interesting-- which again seems to line up with China based activity-- the Shan Tai people are also located in the Yunnan Province in China.

The Shan State Army is a government slash political organization that's headquartered in present day Myanmar, Burma, that borders Thailand.

So again we see specificity, native language, seems to be indicative of APT activity.

Next this is the United Nations document that the group just pulled right out of the UN Digital Library.

A little background if you guys can read this.

I'm not sure.

It's dated from 15 January 2019.

Chair of Security Council committee pursuant resolutions, et cetera, concerning the Islamic state in Iraq and the Levant, Al-Qaeda and associated individuals, groups, undertakings, and entities addressed to the president of the Security Council.

So we don't know.

This could be targeting anyone who speaks English, which would be quite a bit.

This seems to be something that a think tank would potentially be interested in as they're discussing different strategies in the region, investment, et cetera.

Next is European.lnk.

All these files are lnk files, and we noticed that they had embedded HTA scripts inside of them basically to trick people as the malicious activity ran in the background.

Other files didn't even have anything in them.

They were completely blank and just had an image.

And they would try to trick people into enabling macros when really there was no macro in the document.

It was all just kind of a distraction as the malicious activity is running in the background so something to keep in mind as we discuss these documents.

So as mentioned previously, the China Center is a non-profit, and according to their website, they encourage encounters in exchange between cultures and religions in the West and in China.

The members are Catholic aid organizations, religious orders, and dioceses located in Germany, Austria, Switzerland, and Italy.

So again the targeting of NGOs was first documented but by CrowdStrike, and we believe we have observed Mustang Panda targeting a similar type of organization.

It would also align with governments what any APT from-- sponsored by any government would be interested in the sharing of information and cultures.

So again it seems to align with some sort of APT activity.

Then I'll switch off to [INAUDIBLE] here for this.


So we were able to find Mustang Panda is targeting Pakistan based on a C2 that has been used in one of the previous lure documents.

So they used a C2 called

So this screenshot is from virus total so these are the different samples that are communicating to the same C2.

So from virus total, we were able to find that they are targeting Pakistan as well.

So in this case, they are targeting a specific region in Pakistan called Sindh Province, so they are targeting their police department.

And so move to the technical analysis.

As CrowdStrike mentioned, so they follow a unique infection chain, especially the attack starts with a spear phishing email.

So we couldn't able to identify any email chains that has the zip file, but I believe the attack chain started with an spear phishing email.

So all the emails should have a zip file, and the zip file was having a window shortcut.

So the shortcuts are really interesting here because most of the shortcuts that we found in this campaign were unusually large, so usually the shortcut should be somewhere around less than 10 kilobytes.

But all the samples that we observed in this campaign were about 200 to 1 megabyte, so they're really big.

And all of the shortcuts were having an embedded HTS script, and the HTS script was executing a vb script after that once it drops.

So the vb script performs two activities in parallel.

So it is going to show the decoy document to the victim, and in the background, it's going to run [INAUDIBLE] off the payloads either PlugX or COBOL strike stator.

And it reaches out to the C2.

So throughout the entire campaign, we observed only the use of two payloads.

One is to PlugX that is most commonly used by Chinese [INAUDIBLE] actors, and the other one is a COBOL strike.

We can-- most commonly used [INAUDIBLE] to.

So this is one of the shortcut file.

I'm just going to explain some of the interesting stuff that I found in that.

So the LF notes, the header, the magic bytes for a shortcut file.

And this is the command that-- it uses hta.exe to execute the embedded HTA script inside the shortcut file.

So the shortcut files are big because they embedded the entire payload inside the HTA, as a VBScript.

So that's the reason all the shortcut files are unusually big.

And one important aspect of shortcut files-- they are really rich in forensic artifacts.

So you can get basically the timestamp when the shortcut files are created, and the host name on which the shortcut files were created, the MAC address of it, and the host name, [INAUDIBLE] name again, the host name of the host where the shortcut files are created, which gives us a lot of pivoting points to find more related samples.

So these are the 16 different samples that we were able to find.

So you can see the commonality between all the different samples.

Almost-- out of 16, 15 samples are having the same creation date.

And you can see five different hosts that were used to create these shortcut files.

Again, the MAC address denotes-- all of the MAC address are part of VMware, so the 00 0C So the MAC address was allocated for a VM.

So that's how we were able to find-- pivot all the different samples involved in the campaign.

So let's switch to the payloads.

So these are two different payloads that we observed, Cobalt Strike and PlugX.

So let's talk about that.

So the first payload that we observed-- so we can say these are the two clusters of payload.

So one was specifically targeting Vietnamese groups that are most commonly there.

The payload was PlugX.

And the Cobalt Strike payload was interesting, because they used a heavily obfuscated VBScript.

So this is the de-obfuscated version of it.

So the payload-- in this case, the Cobalt Strike payload-- was encoded in hex.

And this is the routine that they are using to drop the payload, the name called 3.PS1.

So this will be dropped in the Temp folder of the victim.

So we can see the folder name and the file name.

And the other interesting artifact is, this blob of code was directly copied from Microsoft, a WMI Docs portal.

So this instance, they are using it to execute or invoke the powershell by WMI tasks.

So you can use WMI to perform process executions.

So if you look into the process chain, you will see WMI is the process that invoked command.exe, and then command invokes powershell.exe.

And the other important aspect is, so all of this activity will be happening hidden.

So no command prompts or no dialog boxes will be open to the user, because the WMI uses the variable called hidden window declaration.

So all of the activity will happen in the background.

So once the 3.PS1 executes, it performs two activity-- one, it is going to show the decoy document to the user.

And in the background, it is going to execute the stager.

So in this case, the stager is dropped in the debug path.

So the payload is named Temp underscore-- it ends with dot dat.

So that's basically an executable.

So it creates a schedule task in the name of security script.

So they are trying to imitate Windows updates.

So that's the reason they are trying to mingle with or evade from the normal user eye.

So the powershell script performs a check whether the script is running as-- either running as an admin privilege or the normal user privilege.

So if the privilege is admin, then it is going to drop the Cobalt Strike stager payload in the debug path.

If not, it is going to drop it in the Temp path of the user's machine.

This is the first-stage payload.

And unfortunately, we couldn't able to get the second stage-- I'm not sure because the C2 was not active or it has been taken down by the attackers.

The other one is PlugX.

So here, PlugX has been in the wild for almost more than four years, and it has been primarily used by China-based threat groups.

The PlugX payload is interesting, because the recent version of the campaign that we observed, they basically encoded all the binaries that are involved in the attack to the shortcut file.

So the samples that are having payload as PlugX, all the shortcut files were about 1 megabyte.

So it had three different binaries encoded into Base64, and it was in the HTA script.

So PlugX is a modular remote access Trojan.

So the PlugX has multiple modules, so to perform execution, to perform [INAUDIBLE] and to look into their registry, beaconing out to the C2.

And also, PlugX shares a unique artifact when it reaches out to the C2.

And before that, I'll just explain how it drops into the machine.

So when the shortcut files were executed, it is going to drop three different payloads and the document that is the lure, decoy document for the user viewing.

So the 3.exe is a legitimate ESET binary that's assigned by ESET Antivirus.

I'll explain why it has been dropped by the attackers in the next slide.

So the http_dll is the malicious DLL that will be used by the is the configuration file.

So once it is dropped, in another 10 or 15 seconds it's going to move all those files into a different directory called Microsoft Malware Protection, just to avoid suspicion of the regular user.

And it's going to execute that.

So in this case, the ESET executable was abused for a DLL side-loading attack.

DLL side-loading is a commonly used attack.

So the DLL has a search order.

So it starts at the current directory, and then it moves along the different search order to find the DLL that is specified in the executable.

So in this case the ESET, the exe, is going to load the malicious DLL into its process memory, and it is going to run it.

And you can see, the legitimate process is going to beacon out to the C2 server.

So if a normal user is looking into it, it will definitely miss his eyes.

So this is the C2 pattern that is very common to PlugX, the update WD underscore equal to some random numerical digits.

And the user agent is very unique, so if you wanted to take PlugX, we can just write a Snort signature or Yara rule to look for this particular user agent to detect plugins.

And these are the different C2s that are embedded in the DLL.

So if any one of the CT2 is not responding, it's going to try to beacon out to the different IP addresses or domains that are embedded in the DLL, as well as the ports.

So that's about PlugX, and I will give it to conclusion.


Thank you.


Hopefully this slide will stay up.



So now we're going to try to align, besides some of the technical details that [INAUDIBLE] mentioned-- we're going to try to align some of the geopolitical kind of strategic motivations that would align with a China-based adversary.

So the targets which are indicated by the specific lure documents are governmental, or aligned strategically with a China-sponsored APT group.

So China is currently in its 13th five-year plan.

That focuses on the following themes-- innovation, coordinated development, green growth, openness, and inclusive growth, respectively.

So the objective of increasing exports and specific imports, which falls under openness, would seem to align with the targeting of the Lang Son province that we mentioned earlier, and its history of trade.

So OK, that seems to align.


Next, the lures themed around political parties, the Sindh police, and the UN documents, would align with innovation, which is described as the cornerstone of China's development strategy, and attempts of enhancing its future global competitiveness and technological edge-- which appears to me just as government talk where, like, we're interested in gathering intelligence, as all countries do, and APT groups.

They're interested in gathering things that align strategically, or anything that will benefit them.

So these things seem to align with some of these five pillars, along with the CrowdStrike TTP and the TTPs that we observed-- aligned perfectly.

So again, that's another attribution point that this activity appears to be conducted by Mustang Panda.

We also have a proprietary similarity engine that we run on our team.

That also indicated that this appears to be by Mustang Panda.

So we have kind of three attribution points-- we have some geopolitical and their targeting, we have CrowdStrike TTPs, and we also have our proprietary similarity engine.

So this activity has been ongoing since at least November 2018, according to submission dates in VirusTotal.

But it possibly could go back as far as October 2017 if the group used the dates in the documents in a timely manner.

We saw October 2017.

So a clever APT group would use documents themed around the relevant time frame as a greater chance for folks to click on those spear-phishing emails.

So it's possible it went back to October 2017, but we're not entirely sure on that.

And again, the five pillars.

We'll discuss a little bit more of that.

We'll have a blog post coming out here in a couple days, if you guys are interested, and we'll kind of go more into depth along some of these points.

But the objective here today, which is kind of share with the security community what we're finding, make people aware, so we can help defend against this.

And again, this will be the bibliography in our report that will be coming out.

So if anyone's interested to check our research and our sources, keep us honest, that would be awesome.

OK, well, awesome.

Thank you all for attending, and I hope you had a great Detect.

Thank you.

About Detect LIVE

We believe that threat intelligence holds the promise of allowing organizations to better manage risk and develop resilience. Detect LIVE, brought to you by Anomali, is a virtual event series that provides a platform for security executives, practitioners, and researchers to share insights and experiences related to threat visibility, detection, and response.