CyberWire Daily - Pandas with a purpose. [Research Saturday]
Episode Date: May 24, 2025This week, we are joined by Deepen Desai, Zscaler's Chief Security Officer and EVP of Cyber and AI Engineering, taking a dive deep into Mustang Panda’s latest campaign. Zscaler ThreatLabz uncovered ...new tools used by Mustang Panda, including the backdoors TONEINS, TONESHELL, PUBLOAD, and the proxy tool StarLoader, all delivered via phishing. They also discovered two custom keyloggers, PAKLOG and CorKLOG, and an EDR evasion tool, SplatCloak, highlighting the group's focus on surveillance, persistence, and stealth in cyberespionage operations.4o. The research can be found here: Latest Mustang Panda Arsenal: ToneShell and StarProxy | P1 Latest Mustang Panda Arsenal: PAKLOG, CorKLOG, and SplatCloak | P2 Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Worried about cyberattacks?
CyberCare from Storm Guidance is a comprehensive cyber incident response and resilience service
that helps you stay prepared and protected.
A unique onboarding process integrates your team with industry leading experts.
So if an incident occurs, your response is optimal.
Get priority access to deeply experienced responders, digital investigators, legal and
crisis PR experts, ransom negotiators, trauma counselors, and much more. The best part?
100% of unused response time can be repurposed for a range of proactive resilience activities.
Find out more at cyber.care slash cyberwire. Hello everyone and welcome to the CyberWires Research Saturday.
I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down
the threats and vulnerabilities, solving some of the hard problems and protecting ourselves
in a rapidly evolving cyberspace.
Thanks for joining us.
Mustang Panda is, as Chinese origin, traditionally targets government-related entities, military
entities, minority groups, and NGOs primarily located in East Asia.
That's Deepen Desai, Zscaler's Chief Security Officer and EVP of Cyber and AI
Engineering. Today we're looking into their recent work on Mustang Panda's
latest campaigns.
campaigns.
There were a couple of instances where we also saw them
targeting entities in Europe.
But the research that we will talk about today is where
our analysis started with
a couple of machines that were targeted in Myanmar region. And then as part of that analysis,
we discovered a lot of new things.
Well, let's dig into it together here.
I mean, as you mentioned,
something prompted your group's attention and interest here.
Can you take us through that story?
What grabbed your attention and where did it lead?
Yeah, so there were a couple machines that we were securing that were going through.
They were based out of Myanmar and this is where we saw a new backdoor,
actually a backdoor that was updated
by Mustang Panda, the name of the backdoor is Tone Shell.
The updates that we noticed were changes to its fake TLS,
Command and Control Communication Protocol,
as well as some of the methods for creating and storing
the infected machine identifiers.
So that was one that the team noticed
as part of the analysis of the payload.
The second thing was a new discovery.
This is where the team actually discovered
a new lateral movement tool used by Mustang Panda
that we have named StarProxy.
Again, it leverages the TLS protocol to proxy traffic
and facilitate attacker communication,
but the main objective of the tool is to perform
lateral propagation in the environment.
Well, let's dig into Toneshell first.
What are some of the technical details here?
My understanding is that this latest version has enhanced capabilities or even stealth?
Yeah, so Toneshell variant that we saw in this case is definitely more stealthier.
It has undergone updated command and control communication protocols.
And again, that is through fake TLS headers and the encryption methods that they're using.
So fake TLS, for those that don't know, basically it imitates to be a real TLS traffic.
And the goal over there is to basically disguise the protocol and try to evade detection.
And then they will leverage some form of encryption, which is what we saw in this case as well,
to avoid any kind of pattern-based detection engines that are trying to fingerprint this
command and control protocol.
Interesting.
Well, let's talk about StarProxy.
I mean, how does it function within
Mustang Panda's operations here?
So StarProxy, as I mentioned earlier,
definitely a new tool for lateral movement.
It does act as a relay and allows
the attacker to use the compromised systems
to reach adjacent devices that are harder for the attacker to access directly.
So this is where they will target the users or the identity of interest.
And the assumption is from their machine,
they're able to get to the access that they need because these
access are often not publicly exposed either.
So this is where StarProxy tool is being leveraged by the attacker to perform that lateral propagation
to the device of interest.
I see.
So in terms of evasion techniques, what kind of methods does Mustang Panda use to evade
detection with these new tools?
So one of them I mentioned, this is where imitating TLS-like traffic, that's one.
Custom encryption methods, that's another.
They also support the Toneshell variant 2 2 also supports DLL code injection. Now this is
where basically they will inject the code and it will run as part of a
legitimate process and perform the activity. Now DLL injection is not new.
It's often easy for EDRs and antivirus to detect. But this is where we also saw a
few more tools which Mustang Panda is leveraging to maintain persistence. So the tools are
a couple key loggers, PacLog, CorkLog, and then a specific evasion tool called splat cloak. This is what it uses to disable
some of the functionality of the EDR that will catch what I just described earlier.
Interesting. And who are they targeting here? What organizations or sectors seem to be in their sites?
So their typical targets are government-related entities, military entities, at times minority
groups, NGOs, and again the location is East Asia.
We'll be right back.
And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's holistic identity threat protection helps security teams uncover
and automatically remediate hidden exposures across your users from breaches, malware,
and phishing to neutralize identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business. Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know.
That's spycloud.com slash cyberwire.
Hey everybody, Dave here.
I've talked about DeleteMe before and I'm still using it because it still works.
It's been a few months now and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
DeleteMe also offers solutions for businesses, helping companies protect their employees'
personal information and reduce exposure to social engineering and phishing threats.
And right now, our listeners get a special deal, 20% off your DeleteMe plan.
Just go to joindeleteeme.com slash n2k and use promo code N2K at checkout.
That's joindeleteeme.com slash n2k, code N2K at checkout. That's joindeleteme.com slash N2K code N2K.
So Mustang Pandas activities seem to be espionage focused as opposed to making money?
That is correct.
Yeah. Let's talk about detection and mitigation here.
What are your recommendations for organizations to protect themselves?
I mean, one thing that is becoming more and more clear,
even on the crimeware side, as we see today,
all of these bad guys are following, if I were to simplify, four
stages of attack over and over again.
Number one is where they find you.
This is where they're discovering your external attack surface, whether it's any of your assets
that are exposed to the internet or a user identity that they want to go after.
So that's basically identifying your attack surface.
The second stage is where they will compromise
that initially identified asset or identity
or a user machine.
And in that, they will use several tooling.
The third stage is where they will move laterally
as was evident in case of this analysis
that we published as well.
We've seen Cobalt Stripe, we've seen many other post-exploitation tooling used. In this case,
we saw a new one, StarProxy, being leveraged. So they will attempt to move laterally from
that initially compromised asset. And then the last stage in majority of these scenarios, even in case of espionage, will be to
steal data, whether it is selective data or bulk data that they will try to exfil out of the victim
organization. So with those four stages in mind, this is where the defense in depth becomes important.
Yes, we saw them disabling EDR in this case, or EDR functionality, but EDR is still very
important.
But at the same time, having a solution that is inspecting with full TLS inspection at
network layer is equally important.
That's where we as Zscaler help organization with Zscaler Zero Trust Exchange, where we're
terminating TLS, we're inspecting payloads, we're detonating payloads in controller environments like sandbox.
And then we also help minimize that lateral propagation risk with proper segmentation
getting implemented.
So having that segmentation implemented is equally important because users will make
mistake, one of the assets may get compromised. And then the final piece is you need to inspect everything that egresses your environment,
your machines, your servers for potential data exfiltration.
This is where having an inline DLP solution with full TLS inspection is very important.
How do you rate Mustang Panda
in terms of their level of sophistication?
They are, look, with the tooling that we saw in this,
the sophistication continues to get better.
They're trying to become more and more stealthier.
They're trying to also disable controls on the end point
that way they are able to persist longer. So I would say they're improving.
I guess it's fair to say that if nothing else, they're well resourced.
They are well resourced, yes.
Yeah.
So in terms of takeaways for the security professionals in the audience, what sorts
of things do you hope they come away with
after checking out your research here?
Yeah, look, number one thing is, like I described earlier,
both crimeware and nation-state actors,
they will get in from one vector or the other,
but their main goal is to get to that privileged
or your crown jewel
system where the information that your brand really cares about exists.
So making sure you have that zero trust strategy everywhere implemented will be critical to
protect that crown jewel information.
The second thing that I would call out is,
while we didn't see direct use of AI over here,
we are starting to see AI being leveraged
across the board by crime actors.
We even saw that in the recent Black Buster leak,
how they're actively discussing
leveraging AI across the attack stages. So the second point that I'll call out for the Defender is
while there is no AI solution that completely replaces us security professional, and I don't
see that happening in near future, we must leverage AI to fight AI. And this is where it helps us become more efficient,
improve our efficacy, and help us deal with the scaled
information.
Help me understand, you and your colleagues at Zscaler,
when you're looking at a group like Mustang Panda,
how do you go about measuring
their success rate, being able to have a view on
how many attempts they're making,
how many of those attempts are being thwarted,
and what methods are successful on their end,
the places that they get in,
and then where they get stopped along the way.
How do you all measure that?
So our visibility does come from
our Zscaler Zero Trust Exchange.
So as I described, I mean, our main goal is to connect
entity A to entity B and to do that securely.
So when a nation state threat actor or a climate operator
manages to compromise a machine and
then they're trying to do certain things.
We have several advanced controls like sandboxing where we'll capture a payload and detonate
it.
In this case, many of the payloads we have full detonation report that kind of flags
some of the activity it would do on the endpoint.
Then we have controls like deception.
So these are honeypots that are deployed pretending to be real application in the endpoint. Then we have controls like deception. So these are honeypots that are deployed
pretending to be real application in the environment.
That does help flag a lot of these hands-on keyboard
activity because as we saw in this case as well,
the star proxy is just providing access to a remote thread
actor to perform that lateral propagation.
Now if you are able to capture them in one of the decoys,
again, we are able to contain that asset from doing
any kind of lateral propagation.
So there are a lot of these advanced proactive controls
that are part of C-Scaler Zero Trust Exchange, which
helps toward these attacks.
But then it also provides signals
to our global research team from and we basically
leverage that learning to share with the community and as well as our customers.
Our thanks to Deepin Desai, Zscaler's Chief Security Officer for joining us.
The research follows Mustang Panda's latest campaign.
We'll have a link in the show notes.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltsman and Trey Hester.
Our executive producer is Jennifer Iben.
Peter Kilpey is our publisher.
And I'm Dave Wittner.
Thanks for listening.
We'll see you back here, next time.