Mustang Panda Expands Global Espionage with FDMTP and PUBLOAD

Mustang Panda Expands Global Espionage with FDMTP and PUBLOAD

Threat Group: Mustang Panda (also known as Earth Preta, Bronze President, HoneyMyte)
Threat Type: Cyber-Espionage
Exploited Vulnerabilities: Phishing, DLL Side-loading, Removable Media Propagation
Malware Used: PUBLOAD, FDMTP, PTSOCKET, HIUPAN Worm
Threat Score: Critical (9.0/10) — Due to widespread targeting of government entities, advanced data exfiltration techniques, and consistent evolution of attack tools.
Last Threat Observation: September 2024 (Trend Micro)


Overview

Mustang Panda, a Chinese state-backed Advanced Persistent Threat (APT) group, has been active in cyber-espionage campaigns globally, with a primary focus on government and high-value entities. Their toolkit, which includes advanced malware such as PUBLOAD, FDMTP, and PTSOCKET, facilitates data exfiltration, lateral movement, and persistence in victim environments. The group's tactics rely heavily on spear-phishing attacks and malware propagation via removable media, making them a persistent and dangerous actor on the global stage.

Mustang Panda's attacks have been observed targeting organizations in the Asia-Pacific region but have also expanded globally to include other government and non-government sectors.

Key Details

  1. Attack Vectors:
    • Spear-Phishing: Used as the primary method for initial compromise, often delivering the DOWNBAIT downloader or other malicious attachments.
    • Removable Media: The HIUPAN worm spreads via USB devices, enabling lateral movement in environments without internet connectivity.
    • DLL Side-loading: Employed to stealthily execute malware such as PUBLOAD and FDMTP.
  2. Malware Overview:
    • PUBLOAD: A stager used to collect system information and map the infected network. It facilitates the delivery of secondary malware such as FDMTP.
    • FDMTP: A downloader malware embedded in DLL files, which establishes remote control and executes additional payloads. It uses encrypted configurations to evade detection.
    • PTSOCKET: A custom exfiltration tool designed for secure, multi-threaded data transfer using the Duplex Message Transport Protocol (DMTP).
    • HIUPAN Worm: Propagates via USB drives, hiding its components and establishing persistence through DLL side-loading.
  3. Data Exfiltration:
    • Sensitive files such as .docx, .pdf, and .xlsx are collected using tools like WinRAR, encrypted, and exfiltrated through FTP or the PTSOCKET file transfer tool. The data is transmitted over encrypted channels to attacker-controlled servers.

Indicators of Compromise (IoCs)

SHA256 Hashes:

FDMTP

  • ee986beeb058ec27d0dad9a0a671bbabaa56057102faf30f63397bdbe7fca81f
  • 3514d2e74b476e1569bbf3311934809c6f8e97df5c9669a5fe475e508886df9f
  • 71f114842c30e94c95e57ad394969d5766ca28d056dc724c9820717cf03eb0fe
  • 959fd255338558d02c567680625d88f5c48e43827bbb1c408f2d43b01807809a
  • 466684ad5755c9ee6080ff2a01646824c63a90d3e5be923581b89c707267e79f
  • f67ce881d31e7475d3bd70cad8bdc8fe0e8fd5f66b87ede0e49109395f7033aa
  • e2f4b2d71e02b49a2721a88eea7bf7308143ee55d7d8119e5e291eafd4859af5
  • ea18df47214ac1f96a75b1dffbe510b2855197490bc65f47886b25fc7e8aca15
  • 533f47bc4997eed0491f58f24d45c7850cb460da252de90635938e095b5fc213
  • c2bed145cf09022ee6a378dc5e9b3ae49b7c95a6551fa7310a1d997f93f6e2d1
  • 99071b9df19024480e1b6d7049e6713486418759b7f0191643776bd0ac08172b
  • 756b9d6f50bd56adca1fa3d48ff07edf8ee3cc568fb32cbdd892403670343b43
  • d69a4a7aa3144ee7ec35e7c3a3a4220f5a43bc29cc4cfa0f27fef60b4d93de8d
  • 56cb16589ab852de4900496ef74212c17902867e90253b4d9d7f335ef7d45a7b
  • c662f5c851314d952cf3594232a7db5b96cb528716cd71bf38393b647cfd4c82
  • f452b787e47493e89078e884bf92c61626e6ff4b9bc8eee8ae3728ddc65b7e46
  • fd68b49acf9234a8592497ef1d675acd57c6a67c6975313772d12c837f3264d1
  • 565fa2992212c89bdec334c0fd318b3fd2c91707431fd8186016f11645925892
  • df0e16a29c9dffe2ff7b3d4c957af7459fd7e6fa8026d067202912b997773749
  • 3278c06b5510edabb3318aa1892eb7e426e97946b86eea925965a46ba1725ebd

PUBLOAD

  • 24a850f15a023f59389bf8fd1c33796cf3a5d8d08f77dda049d1c978a1825dde
  • 2e44ebe8d864ae19446d0853c51e471489c0893fc5ae2e042c01c7f232d2a2c2
  • a062fafaff556b17a5ccb035c8c7b9d2015722d86a186b6b186a9c63eeb4308a
  • 107ba73ae05ec6ba6d814665923191f14757015557eeeff16206cc957da29be3
  • 14a9a74298408c65cb387574ffa8827abd257aa2b76f87efbaa1ee46e8763c57

HIUPAN

  • d1492101eb450f0e9badaea254e5551b49297fa4a98c53c939bb96bafd2151fe
  • 586632c8bb5890c760efc21662105e649177deaf2b2c2eef3ede1da088f23a6c
  • 68bec53e4772eee6c13278a471d669b916cdc797c81d128ee103ee90841fa19e

PTSOCKET

  • 8ebb12d253a4b4c28435b25478abb590e94bdb55b83c55cda6d44c58a03bf9be

DOWNBAIT

  • 3b9ef9701ea2b2c1a89489ed0ed43ffabec9e22b587470899c0d5aca1a1e4302

PULLBAIT

  • 9dd62afdb4938962af9ff1623a0aa5aaa9239bcb1c7d6216f5363d14410a3369

CBROVER

  • d8747574251c8b4ab8da4050ba9e1f6e8dbbaa38f496317b23da366e25d3028a
  • 7c520353045a15571061c3f6ae334e5f854d441bab417ebf497f21f5a8bc6925

FILESAC

  • b63bc07202491a4dcd34cc419351edb2f2c395b2671d7acf7bfc88abada344ec

PLUGX

  • 44d2d35ca87bf4292e4586bd08f3fe51d3fff693fed2f9795ff49733338ae8a7
  • afed5635fa6d63b158fc408d5048bf2dafd6da210a98f308c02c94514ae28fc8
  • b37b244595cac817a8f8dba24fbea208205e1d1321651237fe24fdcfac4f8ffc
  • de08f83a5d2421c86573dfb968293c776a830d900af2bc735d2ecd7e77961aaf
  • d32d7e86ed97509289fff89a78895904cf07a82824c053bfaf1bc5de3f3ba791

IP Addresses (IPv4)

  • 103[.]15[.]29[.]17
  • 154[.]90[.]32[.]88
  • 47[.]76[.]87[.]55
  • 47[.]253[.]106[.]177
  • 16[.]162[.]188[.]93
  • 18[.]163[.]112[.]181

Domains

  • www[.]ynsins[.]com
  • www[.]aihkstore[.]com
  • www[.]bcller[.]com

Mitigation and Prevention

  1. Email Filtering: Implement strong anti-phishing filters to block spear-phishing attempts, which are the primary infection vector for Mustang Panda campaigns.
  2. Patching: Ensure all systems are updated with the latest security patches to mitigate exploitation of known vulnerabilities.
  3. Endpoint Detection and Response (EDR): Deploy EDR solutions to detect and respond to malicious DLL side-loading and suspicious file transfers.
  4. Network Monitoring: Monitor for unusual outbound connections, especially to the identified IoCs such as the known C2 domains and IPs.
  5. User Training: Conduct regular security awareness training to educate employees on phishing risks and other security best practices.

Conclusion

Mustang Panda continues to evolve its toolkit, using advanced malware such as PUBLOAD, FDMTP, and PTSOCKET to carry out cyber-espionage operations against high-value targets. Organizations, particularly in the government sector, must prioritize vigilance by improving phishing defenses, monitoring network traffic, and keeping systems up-to-date. Proactive detection and mitigation strategies are crucial in defending against these persistent and sophisticated threats.


Sources:

  1. Trend Micro, Earth Preta Evolves its Attacks with New Malware and Strategies
  2. Bleeping Computer, Chinese hackers use new data theft malware in govt attacks