Mustang Panda hacking group takes advantage of Ukraine crisis in new attacks

Just as criminals seized on the pandemic, this group is trying to capitalize on Russia's invasion of Ukraine.
Written by Charlie Osborne, Contributing Writer

Researchers have exposed a Mustang Panda campaign that is taking advantage of the Russia-Ukraine conflict to spread new malware.

On March 23, researchers from ESET said that Mustang Panda, a Chinese cyberespionage group also tracked as TA416, RedDelta, and Bronze President has been spreading a new Korplug/PlugX Remote Access Trojan (RAT) variant. 

Korplug is a RAT previously used in attacks against the Afghanistan and Tajikistan militaries, targets across Asia, and high-value organizations in Russia. Researchers say that Chinese threat actors have used variants of the Trojan since at least 2012. 

The new variant, however, has remained under the radar until now. 

ESET has named the new sample Hodur. The new version has some similarities to Thor, a variant of the malware detected by Palo Alto Networks in 2021 deployed during the Microsoft Exchange Server debacle.

Hodur is being spread through a phishing campaign leveraging topics of interest in Europe, including Russia's current invasion of Ukraine. The attack wave is still ongoing but has taken different forms since August 2021, depending on current events. 

By adapting its phishing methods to include current hot topics, conflicts, and news items, Mustang Panda has managed to successfully infiltrate research organizations, internet service providers (ISPs), and systems belonging to European diplomatic initiatives across countries including Mongolia, Vietnam, Myanmar, Greece, Russia, South Africa, and Cyprus.

While ESET is not sure of the campaign's source, phishing and watering hole attacks are likely as the means for initial access. Custom downloaders for Hodur have been found in several decoy documents with names including:

  • Situation at the EU borders with Ukraine.exe
  • COVID-19 travel restrictions EU reviews list of third countries.exe
  • State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.exe

The decoys were also packaged up with .doc and .PDF extensions. 

If an intended victim opens the decoy document and executes the package, a malicious .DLL file, an encrypted Korplug file, and an executable vulnerable to DLL search-order hijacking land on the target machine. 

The .exe file loads the .DLL, and then the RAT is decrypted and unpacked. The Korplug RAT variant will then establish a backdoor, connect to its command-and-control (C2) server, and perform reconnaissance on the infected system. 

In other security news this week, Google has removed a popular Android app from the Play Store after Pradeo warned that the application contained a Trojan able to harvest Facebook account credentials. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards