A dangerous new hacking collective known as Mustang Panda is leveraging macro-infected documents to target users worldwide. The large-scale campaign appears to be against both public and private sectors. At the moment there is no information available about the intentions and identity of the hackers.
Infected Documents Used By New Hacking Group Called Mustang Panda
A new hacking group which has been unknown to us until now has been found to distribute various macro-infected documents against users. The hackers appear to originate from China and the targeted networks include both private users and public companies. The attacks are global and are not limited only to China. What we know is that the group originally started to spread malware last year, but has ever since upgraded their tactics to include new procedures. Some of the confirmed targets are the following: China Center (non-profit organization), Vietnam political party and residents from Southeast Asia. The countries that have been targeted include Mongolia, Germany, Myanmar, Vietnam and Pakistan.
The hackers have focused on using social engineering techniques to manipulate the targets into opening up the infected documents. This is usually the case with email messages that include dangerous scripts and contents. In most cases they will impersonate well-known companies or services and will include the necessary scripts. Depending on the exact technique the dangerous files may be either attached or linked in the contents.
In the end the targets will receive a zip file that will contain a .lnk file inside that is masked with a double extension. If the archive is opened and the included files are started the relevant malware will be installed. In the analyzed attack campaigns there have been two main payloads which are delivered to the victims:
- Cobalt Strike Beacon — This is a dangerous payload which can be highly customized for different attacks. Commonly it is used to harvest information over the Internet and it can be used for surveillance of the victim users. A lot of its functionality is focused on giving the criminals the possibility to execute their own commands, retrieve information and data, as well as modify the configuration of the system.
- PlugX Trojan — This is a powerful Trojan which has been known to us for at least several years now. It has come through different updates and versions and is composed of several modules. It can be used to take over control of the compromised machine and allow the hacker controllers to hijack information including personal one. What’s more dangerous is the ability to spy on the users at any time and manipulate the system in all possible ways.
Such attacks are likely to continue in the future with an even bigger campaign. The criminal collective appears to have the resources in order to target such networks. We anticipate that they may use other tactics or expand on their experience with social engineering and phishing.