CyberWire Daily - Mustang Panda leverages Windows shortcut files. [Research Saturday]
Episode Date: November 23, 2019Researchers at Anomali have been tracking China-based threat group, Mustang Panda, believing them to be responsible for attacks making clever use of Windows shortcut files. Parthiban is a researcher... at Anomali, and he joins us to share their findings. The research is here: https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We found this during our regular data collection.
That's Partaban. He's a security researcher with Anomaly.
The research we're discussing today is titled China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations.
sector organizations. This particular cluster of Windows shortcut files were peculiar because the Windows shortcut files were having HTA files embedded to them. So which basically they are
using it to download another set of malicious files from the internet because usually the
Windows shortcut files were not used for downloading any content from the internet.
So that's how we were able to narrow it down,
that there is something malicious going on here.
And upon closer inspection, we were able to confirm that
this particular cluster of Windows Shortcut files were
actually used by the thread group called the Mustang Panda.
What can you describe for us?
What exactly is a Windows Shortcut file and how is it normally used?
A Windows Shortcut files are called as LNK files.
So a regular Windows shortcut files will have an extension of a.lnk in Windows.
They use it to open applications using Windows shortcut files.
So, for example, a lot of people might come across the shortcut files in the Windows desktop.
A lot of people might come across the shortcut files in the Windows desktop, so they just use it to call the real application, which is stored in a different location.
I see. So it's a link to an actual file. Like you said, it's the kind of thing you'd put on your desktop as a shortcut to the actual executable.
Yes.
I see. Before we dig into some of the technical details here, who do you presume that Mustang Panda is targeting? Based on our research, we believe Mustang Panda's targets are the Chinese government's neighboring countries, as well as the countries that are involved in Belt and Road Initiative.
So that is Mongolia and multiple Southeast Asian countries like Vietnam, Myanmar.
We also found some other targeted countries such as Pakistan as well because Pakistan
is one of the countries that are involved in Belt and Road Initiative.
I see. And are there particular groups within those countries that they seem to
be targeting?
So the specific entities that Mustang Panda targets are most of the government
entities as well as non-governmental entities, non-profit groups. The Mustang Panda primarily
collects geopolitical intelligence. So they primarily collect intelligence from these
governments. That's the Mustang Panda's targets are. I see. Well, let's dig in and go through some of the lure documents that have been sent out here.
Before we get to that, do you think that they're planting these documents via phishing?
Or how do you suppose folks are finding these documents on their computers?
I don't have a definite answer to that, but I can say like most of these APT groups,
we believe the Mustang Panda should be using
spear phishing emails to reach out to their targets.
Well, let's go through some of these lure documents together.
You gathered quite a few of them.
The research here has 15 different documents.
Why don't we go through a couple of them together?
What were some of the more interesting ones that you found?
We'll start off with a particular sample that targets Vietnamese
embassy that is in China. So in this case, we believe the email has been sent to the victims
who work in embassy of Vietnam in China. So this particular document talks about two different
activities. One is a military drill that is going to happen in South China Sea. So the government is asking them
not to let go any civilians or any fishermen over there. And the other one talks about the
China's latest ice breaking ship. So it's just a lure document, but in the background. So once it
is opened in the background, so a cobalt strike payload has is opened in the background, so a Cobalt Strike payload has been installed in
the background and it's reaching out to the C2. So this is one of the samples. And I'll talk about
the other sample that talks about the United Nations Security Council. So we believe this
is targeting a named think tank in one of the Southeast Asian countries, but we don't have any proof
which think tank that is particularly targeting. It is purely based on the content of the document.
So in this case, it is very interesting because this document has been downloaded from United
Nations website. You can go to the website and you can download it by yourself. So the attackers,
they are very clear in this case, they downloaded a real document and attached to the Windows shortcut file. And then even the
document title shows that the real file name, which is downloaded from the UN's website.
And in this case, the load document, while the victim views a load document in the background,
plug-ex payload has been installed and it will start communicating to the C2 server.
So what they're doing here is taking documents that their targets would likely to be interested
in. They're taking the time to choose documents that they would likely want to read that would
strike their interest and taking advantage of that, a bit of social engineering there.
Yes, exactly. So the targets and the lure documents are very related to each other. So
it gives the attackers an advantage that the victims will definitely open it because
it is very relevant and very timely for the victims.
Now, your research also describes how they've been targeting some police in Pakistan,
and they're using the PlugX malware for that.
Yes. In that case, we didn't find the initial infection.
We were able to find that particular sample by pivoting off the IOCs
that we were able to find in the previous infections.
So in that case, that was targeted against a police department in Punjab's Sindh province.
Well, let's go through what's going on technically behind the scenes here. While I'm
reading this document that they've sent as the decoy, what's going on on my machine? What tools
are they using and how's it communicating with command and control? Once the victim opens the
Windows shortcut file, a series of activities will happen in the background. So for example,
once the victim opens the Windows shortcut file, there is an
embedded HTA script is inside the Windows shortcut file, and then it opens another VBScript file.
So the VBScript file performs two different activities. So it basically opens the decoy
document to the victim, as well as in the background background it executes a partial script that is going to download uh
plug-ins or cobalt strike depends on which payload has been ingested for that particular victim
and then it's going to beacon out in case of cobalt strike it's going to download a stager
and then it's going to reach out to this command and control in the front for the victim the lure
document will be opened so none of the malicious activities will be shown to the user.
I mean, no visible dialog boxes or any click yes or no, since the Mustang Panda group is
using Windows shortcut file.
So there is no need to enable or disable macros, which by now is the most commonly used tactic.
macros, which by now is the most commonly used tactic. So in this case, the victim thinks that he or she did in fact open a legitimate document or a PDF file.
And where is it reaching out to? What have you learned about the C2 servers?
There is no specific countries or region that all the C2 servers are located. So
it's all spread across the globe. So that's about it.
What sort of information does it seem like they're interested in? What are they sending back?
In this case, the group is specifically interested on collecting intelligence from
the neighboring countries or the countries involved in the Belt and Road Initiative.
So at the time of research, most of the C2 servers were actually down.
So we could not be able to reach out to the C2 or we could not be able to find what exactly it is trying to exfiltrate from the victim. Because all the activity that the malicious shortcut files does is it installs the first stage payload and it's going to retrieve the second level payload from the C2 server.
So once the victim receives the second level payload, it is2 server. So once the victim receives the second
level payload, it is going to perform the next set of activities. And what are your recommendations
in terms of people protecting themselves against this? Be wary about the emails that you're
opening because the most common infection vector is the email. So please be wary about what you're
opening and especially emails with attachments.
So is this the sort of thing that antivirus would catch or endpoint protection?
In this case, I would say no, because there is no malicious payloads or any other malicious
activities are embedded here. It's just a plain window shortcut file. And all it's going to be
having is just an URL just to download the next
level payload. In this case, even the next URL, the Mustang Panda are using legitimate storage
services like a Google Drive, Dropbox, or publicly known storage services to retrieve their second
level payload. So the antivirus, in this case, antivirus will not be enough to help.
So the antivirus, in this case, antivirus will not be enough to help.
Our thanks to Partaban from Anomaly for joining us.
The research is titled China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations.
We'll have a link in the show notes. And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform Thank you. Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of Data Tribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri,
Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson,
Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner. Thanks for listening. Thank you.