Mustang Panda Expands Global Espionage with FDMTP and PUBLOAD
Threat Group: Mustang Panda (also known as Earth Preta, Bronze President, HoneyMyte)
Threat Type: Cyber-Espionage
Exploited Vulnerabilities: Phishing, DLL Side-loading, Removable Media Propagation
Malware Used: PUBLOAD, FDMTP, PTSOCKET, HIUPAN Worm
Threat Score: Critical (9.0/10) — Due to widespread targeting of government entities, advanced data exfiltration techniques, and consistent evolution of attack tools.
Last Threat Observation: September 2024 (Trend Micro)
Overview
Mustang Panda, a Chinese state-backed Advanced Persistent Threat (APT) group, has been active in cyber-espionage campaigns globally, with a primary focus on government and high-value entities. Their toolkit, which includes advanced malware such as PUBLOAD, FDMTP, and PTSOCKET, facilitates data exfiltration, lateral movement, and persistence in victim environments. The group's tactics rely heavily on spear-phishing attacks and malware propagation via removable media, making them a persistent and dangerous actor on the global stage.
Mustang Panda's attacks have been observed targeting organizations in the Asia-Pacific region but have also expanded globally to include other government and non-government sectors.
Key Details
- Attack Vectors:
- Spear-Phishing: Used as the primary method for initial compromise, often delivering the DOWNBAIT downloader or other malicious attachments.
- Removable Media: The HIUPAN worm spreads via USB devices, enabling lateral movement in environments without internet connectivity.
- DLL Side-loading: Employed to stealthily execute malware such as PUBLOAD and FDMTP.
- Malware Overview:
- PUBLOAD: A stager used to collect system information and map the infected network. It facilitates the delivery of secondary malware such as FDMTP.
- FDMTP: A downloader malware embedded in DLL files, which establishes remote control and executes additional payloads. It uses encrypted configurations to evade detection.
- PTSOCKET: A custom exfiltration tool designed for secure, multi-threaded data transfer using the Duplex Message Transport Protocol (DMTP).
- HIUPAN Worm: Propagates via USB drives, hiding its components and establishing persistence through DLL side-loading.
- Data Exfiltration:
- Sensitive files such as .docx, .pdf, and .xlsx are collected using tools like WinRAR, encrypted, and exfiltrated through FTP or the PTSOCKET file transfer tool. The data is transmitted over encrypted channels to attacker-controlled servers.
Indicators of Compromise (IoCs)
SHA256 Hashes:
FDMTP
ee986beeb058ec27d0dad9a0a671bbabaa56057102faf30f63397bdbe7fca81f
3514d2e74b476e1569bbf3311934809c6f8e97df5c9669a5fe475e508886df9f
71f114842c30e94c95e57ad394969d5766ca28d056dc724c9820717cf03eb0fe
959fd255338558d02c567680625d88f5c48e43827bbb1c408f2d43b01807809a
466684ad5755c9ee6080ff2a01646824c63a90d3e5be923581b89c707267e79f
f67ce881d31e7475d3bd70cad8bdc8fe0e8fd5f66b87ede0e49109395f7033aa
e2f4b2d71e02b49a2721a88eea7bf7308143ee55d7d8119e5e291eafd4859af5
ea18df47214ac1f96a75b1dffbe510b2855197490bc65f47886b25fc7e8aca15
533f47bc4997eed0491f58f24d45c7850cb460da252de90635938e095b5fc213
c2bed145cf09022ee6a378dc5e9b3ae49b7c95a6551fa7310a1d997f93f6e2d1
99071b9df19024480e1b6d7049e6713486418759b7f0191643776bd0ac08172b
756b9d6f50bd56adca1fa3d48ff07edf8ee3cc568fb32cbdd892403670343b43
d69a4a7aa3144ee7ec35e7c3a3a4220f5a43bc29cc4cfa0f27fef60b4d93de8d
56cb16589ab852de4900496ef74212c17902867e90253b4d9d7f335ef7d45a7b
c662f5c851314d952cf3594232a7db5b96cb528716cd71bf38393b647cfd4c82
f452b787e47493e89078e884bf92c61626e6ff4b9bc8eee8ae3728ddc65b7e46
fd68b49acf9234a8592497ef1d675acd57c6a67c6975313772d12c837f3264d1
565fa2992212c89bdec334c0fd318b3fd2c91707431fd8186016f11645925892
df0e16a29c9dffe2ff7b3d4c957af7459fd7e6fa8026d067202912b997773749
3278c06b5510edabb3318aa1892eb7e426e97946b86eea925965a46ba1725ebd
PUBLOAD
24a850f15a023f59389bf8fd1c33796cf3a5d8d08f77dda049d1c978a1825dde
2e44ebe8d864ae19446d0853c51e471489c0893fc5ae2e042c01c7f232d2a2c2
a062fafaff556b17a5ccb035c8c7b9d2015722d86a186b6b186a9c63eeb4308a
107ba73ae05ec6ba6d814665923191f14757015557eeeff16206cc957da29be3
14a9a74298408c65cb387574ffa8827abd257aa2b76f87efbaa1ee46e8763c57
HIUPAN
d1492101eb450f0e9badaea254e5551b49297fa4a98c53c939bb96bafd2151fe
586632c8bb5890c760efc21662105e649177deaf2b2c2eef3ede1da088f23a6c
68bec53e4772eee6c13278a471d669b916cdc797c81d128ee103ee90841fa19e
PTSOCKET
8ebb12d253a4b4c28435b25478abb590e94bdb55b83c55cda6d44c58a03bf9be
DOWNBAIT
3b9ef9701ea2b2c1a89489ed0ed43ffabec9e22b587470899c0d5aca1a1e4302
PULLBAIT
9dd62afdb4938962af9ff1623a0aa5aaa9239bcb1c7d6216f5363d14410a3369
CBROVER
d8747574251c8b4ab8da4050ba9e1f6e8dbbaa38f496317b23da366e25d3028a
7c520353045a15571061c3f6ae334e5f854d441bab417ebf497f21f5a8bc6925
FILESAC
b63bc07202491a4dcd34cc419351edb2f2c395b2671d7acf7bfc88abada344ec
PLUGX
44d2d35ca87bf4292e4586bd08f3fe51d3fff693fed2f9795ff49733338ae8a7
afed5635fa6d63b158fc408d5048bf2dafd6da210a98f308c02c94514ae28fc8
b37b244595cac817a8f8dba24fbea208205e1d1321651237fe24fdcfac4f8ffc
de08f83a5d2421c86573dfb968293c776a830d900af2bc735d2ecd7e77961aaf
d32d7e86ed97509289fff89a78895904cf07a82824c053bfaf1bc5de3f3ba791
IP Addresses (IPv4)
103[.]15[.]29[.]17
154[.]90[.]32[.]88
47[.]76[.]87[.]55
47[.]253[.]106[.]177
16[.]162[.]188[.]93
18[.]163[.]112[.]181
Domains
www[.]ynsins[.]com
www[.]aihkstore[.]com
www[.]bcller[.]com
Mitigation and Prevention
- Email Filtering: Implement strong anti-phishing filters to block spear-phishing attempts, which are the primary infection vector for Mustang Panda campaigns.
- Patching: Ensure all systems are updated with the latest security patches to mitigate exploitation of known vulnerabilities.
- Endpoint Detection and Response (EDR): Deploy EDR solutions to detect and respond to malicious DLL side-loading and suspicious file transfers.
- Network Monitoring: Monitor for unusual outbound connections, especially to the identified IoCs such as the known C2 domains and IPs.
- User Training: Conduct regular security awareness training to educate employees on phishing risks and other security best practices.
Conclusion
Mustang Panda continues to evolve its toolkit, using advanced malware such as PUBLOAD, FDMTP, and PTSOCKET to carry out cyber-espionage operations against high-value targets. Organizations, particularly in the government sector, must prioritize vigilance by improving phishing defenses, monitoring network traffic, and keeping systems up-to-date. Proactive detection and mitigation strategies are crucial in defending against these persistent and sophisticated threats.
Sources:
- Trend Micro, Earth Preta Evolves its Attacks with New Malware and Strategies
- Bleeping Computer, Chinese hackers use new data theft malware in govt attacks