The Mustang Panda hack group, a Chinese-linked cybercriminal gang, is using the Russia-Ukrainian war as a lure to facilitate attacks on various European and Pacific Asian organizations. The Blackberry research and Intelligence team revealed details in a December 6 blog of a RAR archive file called “Political Guidance for the new EU approach towards Russia.rar.”
Blackberry’s analysis of the file revealed that countries targeted by the hacking gang included Italy, Brazil, Turkey, India, Vietnam, and Pakistan. This analysis backs up previous reports from Google, ProofPoint, and the Computer Emergency Response Team of Ukraine, which has previously warned of the cyber security threat posed by the cybercriminal gang.
Mustang Panda is an Active Cyber Criminal Gang From China
Mustang Panda is a Chinese hacking gang that is believed to have been active since 2018, although experts believe they may have been responsible for cyber security threats dating back to 2012. the gang also operates under names such as RedDelta, red Lich, Bronze President, Earth Preta, and Honeymyte.
The criminal hacking group has become known for using current geo-political events to enable attacks on organizations and governments across the globe. The gang is known for cyber security attacks, which send weaponized attachments in phishing emails. Once opened, the infected systems become victims to a remote access trojan named PlugX. However, more recent attacks from the group to make cyber security news has involved custom back doors.
In recent attacks on education, research, and government organizations in the Asia Pacific, the cybercriminal group has used custom malicious software such as TONESHELL, PUBLOAD, and TONEINS. It is thought that this indicates the group has expanded its range of software for malware attacks.
Despite this, the report from the BlackBerry Threat Research and Intelligence team claims the infection process during the cyber security attacks has remained the same.
How the Mustang Panda Phishing Attacks Operate
Within the phishing email sent to attacked organizations, the cyber hackers include a shortcut link to a WORD file. When this is clicked on, it begins a DLL side-loading process to enable the execution of PlugX.
The link will be named with a title that references a current political issue or event. In the most recent cases. this has been the ongoing war between Russia and Ukraine. The topic of the phishing email is adapted according to which topic may pique the interest of the organization representative receiving the message.
This cyber security attack was employed against Myanmar earlier this year. But experts believe that the prolific cybercriminal gang has the capability to variate its approach and technology as needed.
“They have been known to change and update their core toolset using existing malware, as well as develop their custom tools from campaign to campaign,” “BlackBerry’s Dmitry Bestuzhev recently revealed to the Hacker News website. The fact that they can do this is also an indication of the level of resourcing, sophistication, and expertise they have at their disposal.”
