![]() ![]() The researchers expect Mustang Panda to continue to evolve its operations, noting how quickly it can react to current events, such as an EU regulation regarding COVID-19 that was used as a decoy two weeks after it came out. ![]() Its functionality is not constant between variants, but there does seem to exist a significant overlap in the list of commands between the version we analyzed and other sources." "In spite of it being so widely used, or perhaps because of it, few reports extensively describe its commands and the data it exfiltrates. "Korplug (also known as PlugX) is a RAT used by multiple APT groups," ESET researchers wrote. The Korplug Hodur variant creates a backdoor and messages back to a command-and-control (C2) server for orders. Doing so opens the pathway for a malicious file, an encrypted Korplug file and an executable to land in the targeted system. The decoy documents are designed to entice victims to open them. This browser-in-browser attack is perfect for phishing.'Precursor malware' infection may be sign you're about to get ransomware, says startup.Anatomy of suspected top-tier decade-hidden NSA backdoor.Cow-counting app abused by China 'to spy on US states'.At the same time, the group is using even more anti-analysis techniques and obfuscation throughout the attack process. ESET researchers said that despite the new Hodur variant and custom loaders, Mustang Panda is still leveraging DLL side-loading to evade detection. Kroplug remote access trojan (RAT) and variants have been around for about a decade and were used by a number of Chinese threat groups. Mustang Panda also uses techniques designed to thwart analysis and obfuscate how the malware works. In the past it has also created its own Korplug variants. The threat group often uses custom loaders for shared malware – such as Cobalt Strike, Poison Ivy and Korplug – in its campaigns. Researchers with cybersecurity firm Proofpoint referred to the same campaign in a report earlier this month, noting the campaign by the threat group – which they call TA146 – is part of a larger trend among cybercriminals to profit off the fallout from Russia's war against Ukraine. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |