Security News > 2022 > May > Cyberespionage: New Mustang Panda campaign targets Europe

Cisco Talos Intelligence Group reported a new attack campaign from the infamous cyberespionage threat actor Mustang Panda, also known as Bronze President, RedDelta, HoneyMyte, TA416 or Red Lich with a particular focus on Europe.

The downloader now downloads the decoy document from one URL and uses another URL to download the benign executable file, the DLL file and the final PlugX payload. More malware infections.

Mustang Panda has also used another infecting technique, where this time an archive file sent by spearphishing email contains an executable file together with an accompanying DLL file responsible for decoding an embedded shellcode, which in turn downloads and executes additional shellcode from a C2 IP address.

Another malicious file used by Mustang Panda binds itself locally to the infected computer and listens for any incoming requests from a hardcoded C2 server IP address.

Mustang Panda also makes use of LNK files containing a command to extract content from itself and execute it as a BAT file.

While Mustang Panda has made heavy use of the PlugX/KorPlug malware through the years, through different variants, it has constantly updated and changed the intermediate payload deliveries with different stagers, scripts, reverse shells and LNK files.

News URL

https://www.techrepublic.com/article/cyberespionage-new-mustang-panda-campaign-targets-europe/