Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.^[1]^[2]^[3]

ID: G0129

ⓘ

Associated Groups: TA416, RedDelta, BRONZE PRESIDENT

Contributors: Kyaw Pyiyt Htet, @KyawPyiytHtet

Version: 2.1

Created: 12 April 2021

Last Modified: 22 March 2023

Associated Group Descriptions

Name	Description
TA416	^[4]
RedDelta	^[5]^[6]
BRONZE PRESIDENT	^[3]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1047		Windows管理规范	Mustang Panda has executed PowerShell scripts via WMI.^[2]^[3]
Enterprise	T1546	.003	事件触发执行: Windows Management Instrumentation Event Subscription	Mustang Panda's custom ORat tool uses a WMI event consumer to maintain persistence.^[3]
Enterprise	T1036	.005	伪装: Match Legitimate Name or Location	Mustang Panda has used names like `adobeupdate.dat` and `PotPlayerDB.dat` to disguise PlugX, and a file named `OneDrive.exe` to load a Cobalt Strike payload.^[5]
		.007	伪装: Double File Extension	Mustang Panda has used an additional filename extension to hide the true file type.^[1]^[2]
Enterprise	T1598	.003	信息钓鱼: Spearphishing Link	Mustang Panda has delivered web bugs to profile their intended targets.^[6]
Enterprise	T1573	.001	加密通道: Symmetric Cryptography	Mustang Panda has encrypted C2 communications with RC4.^[5]
Enterprise	T1574	.002	劫持执行流: DLL Side-Loading	Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.^[2]^[5]^[4]
Enterprise	T1547	.001	启动或登录自动启动执行: Registry Run Keys / Startup Folder	Mustang Panda has created the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU` to maintain persistence.^[4]
Enterprise	T1059	.001	命令与脚本解释器: PowerShell	Mustang Panda has used malicious PowerShell scripts to enable execution.^[1]^[2]
		.003	命令与脚本解释器: Windows Command Shell	Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.^[2]^[7]
		.005	命令与脚本解释器: Visual Basic	Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.^[1]^[2]^[3]
Enterprise	T1203		客户端执行漏洞利用	Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code.^[1]
Enterprise	T1071	.001	应用层协议: Web Protocols	Mustang Panda has communicated with its C2 via HTTP POST requests.^[2]^[3]^[5]^[8]
Enterprise	T1585	.002	建立账户: Email Accounts	Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.^[6]
Enterprise	T1560	.001	归档收集数据: Archive via Utility	Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.^[3]^[7]
		.003	归档收集数据: Archive via Custom Method	Mustang Panda has encrypted documents with RC4 prior to exfiltration.^[7]
Enterprise	T1003	.003	操作系统凭证转储: NTDS	Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used `reg save` on the SYSTEM file Registry location to help extract the NTDS.dit file.^[3]
Enterprise	T1074	.001	数据分段: Local Data Staging	Mustang Panda has stored collected credential files in `c:\windows\temp` prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.^[3]^[7]
Enterprise	T1083		文件和目录发现	Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.^[7]
Enterprise	T1608		暂存能力	Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims.^[6]
		.001	Upload Malware	Mustang Panda has hosted malicious payloads on DropBox including PlugX.^[6]
Enterprise	T1027		混淆文件或信息	Mustang Panda has delivered initial payloads hidden using archives and encoding measures.^[1]^[2]^[3]^[5]^[4]^[6]
		.001	Binary Padding	Mustang Panda has used junk code within their DLL files to hinder analysis.^[7]
Enterprise	T1204	.001	用户执行: Malicious Link	Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.^[1]^[8]^[6]
		.002	用户执行: Malicious File	Mustang Panda has sent malicious files requiring direct victim interaction to execute.^[1]^[2]^[7]^[5]^[9]^[6]
Enterprise	T1070	.004	移除指标: File Deletion	Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.^[3]
Enterprise	T1218	.004	系统二进制代理执行: InstallUtil	Mustang Panda has used `InstallUtil.exe` to execute a malicious Beacon stager.^[2]
		.005	系统二进制代理执行: Mshta	Mustang Panda has used mshta.exe to launch collection scripts.^[3]
Enterprise	T1082		系统信息发现	Mustang Panda has gathered system information using `systeminfo`.^[7]
Enterprise	T1049		系统网络连接发现	Mustang Panda has used `netstat -ano` to determine network connection information.^[7]
Enterprise	T1016		系统网络配置发现	Mustang Panda has used `ipconfig` and `arp` to determine network configuration information.^[7]
Enterprise	T1102		网络服务	Mustang Panda has used DropBox URLs to deliver variants of PlugX.^[6]
Enterprise	T1119		自动化收集	Mustang Panda used custom batch scripts to collect files automatically from a targeted system.^[3]
Enterprise	T1583	.001	获取基础设施: Domains	Mustang Panda have acquired C2 domains prior to operations.^[3]^[5]^[8]
Enterprise	T1518		软件发现	Mustang Panda has searched the victim system for the `InstallUtil.exe` program and its version.^[2]
Enterprise	T1105		输入工具传输	Mustang Panda has downloaded additional executables following the initial infection stage.^[5]
Enterprise	T1057		进程发现	Mustang Panda has used `tasklist /v` to determine active process information.^[7]
Enterprise	T1219		远程访问软件	Mustang Panda has installed TeamViewer on targeted systems.^[3]
Enterprise	T1091		通过可移动媒体复制	Mustang Panda has used a customized PlugX variant which could spread through USB connections.^[7]
Enterprise	T1052	.001	通过物理介质渗出: Exfiltration over USB	Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.^[7]
Enterprise	T1566	.001	钓鱼: Spearphishing Attachment	Mustang Panda has used spearphishing attachments to deliver initial access payloads.^[5]^[4]^[9]
		.002	钓鱼: Spearphishing Link	Mustang Panda has delivered malicious links to their intended targets.^[8]
Enterprise	T1564	.001	隐藏伪装: Hidden Files and Directories	Mustang Panda's PlugX variant has created a hidden folder on USB drives named `RECYCLE.BIN` to store malicious executables and collected data.^[7]
Enterprise	T1053	.005	预定任务/作业: Scheduled Task	Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.^[2]^[3]^[8]

Software

ID	Name	References	Techniques
S0154	Cobalt Strike	^[1]^[2]^[3]^[5]^[8]	BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0590	NBTscan	^[3]	系统所有者/用户发现, 系统网络配置发现, 网络嗅探, 网络服务发现, 远程系统发现
S0013	PlugX	^[1]^[2]^[3]^[7]^[5]^[6]	伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: DNS, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息, 系统网络连接发现, 网络共享发现, 网络服务: Dead Drop Resolver, 虚拟化/沙盒规避: System Checks, 输入工具传输, 输入捕获: Keylogging, 进程发现, 隐藏伪装: Hidden Files and Directories, 非应用层协议
S0012	PoisonIvy	^[1]^[5]	Rootkit, 从本地系统获取数据, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Active Setup, 命令与脚本解释器: Windows Command Shell, 应用窗口发现, 执行保护: Mutual Exclusion, 数据分段: Local Data Staging, 混淆文件或信息, 输入工具传输, 输入捕获: Keylogging, 进程注入: Dynamic-link Library Injection
S0662	RCSession	^[3]	从本地系统获取数据, 伪装, 修改注册表, 加密通道, 劫持执行流: DLL Side-Loading, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 本机API, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Fileless Storage, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: File Deletion, 系统二进制代理执行: Msiexec, 系统信息发现, 系统所有者/用户发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Process Hollowing, 非应用层协议

Mustang Panda

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References