Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection

2022-03-24 14:08

The Chinese advanced persistent threat Mustang Panda has upgraded its espionage campaign against diplomatic missions, research entities and internet service providers - largely in and around Southeast Asia.

For one thing, the APT has deployed a brand-new, customized variant of an old but powerful remote-access tool called PlugX, according to researchers from ESET. They named this latest variant "Hodur," after a blind Norse god known for slaying his thought-to-be-invulnerable half-brother Baldr.

"The final lure is a real document available on the European Council's website," according to ESET. "This shows that the APT group behind this campaign is following current affairs and is able to successfully and swiftly react to them.

Hodur itself is hardly the star of the show: Mustang Panda's campaign features literally dozens of TTPs designed to establish persistence, collect data and evade defenses.

If a target falls for the bait, a legitimate, validly signed, executable vulnerable to DLL search-order hijacking, a malicious DLL, and an encrypted Hodur file are deployed on the target machine.

Mustang Panda's campaigns then frequently use custom loaders for shared malware including Cobalt Strike, Poison Ivy, and now, Hodur.

News URL

https://threatpost.com/chinese-apt-combines-fresh-hodur-rat-with-complex-anti-detection/179084/

#APT #chinese #RAT