The cyber threat group known as Mustang Panda, believed to be linked to China, has recently targeted an unidentified organization in Myanmar using new tools that enhance their malware capabilities. This attack emphasizes the group’s ongoing efforts to refine their techniques.
Among the newly introduced tools is an updated version of the backdoor malware called TONESHELL. The upgrades to TONESHIELD include changes in its command-and-control (C2) communication to a system called FakeTLS, along with improvements in how client identifiers are generated and stored. Additionally, Mustang Panda has introduced a new lateral movement tool named StarProxy, along with two keyloggers named PAKLOG and CorKLOG, and an Endpoint Detection and Response (EDR) evasion driver called SplatCloak.
Zscaler’s ThreatLabz analyst, Sudeep Singh, commented that the updates allow for increasingly stealthy and sophisticated attacks. Mustang Panda has been active since at least 2012 and has a history of targeting governmental bodies, military organizations, minority groups, and NGOs mainly in East Asia, with fewer instances in Europe.
Recent campaigns from Mustang Panda have increasingly relied on the bespoke TONESHIELD malware, designed for downloading further payloads. Zscaler identified three variants of this malware, each offering different capabilities, from basic reverse shell functions to more complex file operations and execution commands.
StarProxy, utilized after compromising a system, enables attackers to create a traffic proxy between infected machines and their C2 servers by utilizing a custom TCP-based protocol alongside the FakeTLS encryption for outgoing data. This allows advanced communication techniques beneath typical network defenses.
The malware arsenal also includes new keyloggers, PAKLOG and CorKLOG, which are designed to capture keystrokes and clipboard contents. CorKLOG is more advanced, storing data securely using encryption and implementing persistence features through Windows services or scheduled tasks, although these keyloggers do not have their own data exfiltration means.
Additionally, SplatCloak acts as a Windows kernel driver aimed at disabling Windows Defender and Kaspersky EDR-related routines to help evade detection.
Mustang Panda’s ongoing upgrades and the sophistication of their tools are indicators of their growing capabilities, allowing them to execute their objectives more effectively while maintaining operational security.
In a related development, the cyber espionage group UNC5221 has been linked to using a new version of the BRICKSTORM malware in attacks on Windows environments across Europe. This Golang-based backdoor has been identified to deliver file manager and network tunneling functionalities that allow attackers to browse files, manipulate directory structures, and conduct lateral movement.
BRICKSTORM was first associated with exploits of Ivanti Connect Secure vulnerabilities against various organizations. The malware eliminates potential command execution capabilities, defaulting instead to using network tunneling alongside valid credentials for executing malicious commands via typical protocols like RDP and SMB, effectively circumventing network detection measures.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.