Full Report
The China-linked threat actor known as Mustang Panda has been attributed to a cyber attack targeting an unspecified organization in Myanmar with previously unreported tooling, highlighting continued effort by the threat actors to increase the sophistication and effectiveness of their malware. This includes updated versions of a known backdoor called TONESHELL, as well as a new lateral movement
Analysis Summary
# Threat Actor: Mustang Panda
## Attribution & Identity
**Attribution:** China-linked state-sponsored threat actor.
**Aliases and Associated Groups:** BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta.
## Activity Summary
Mustang Panda was attributed to a cyber attack targeting an unspecified organization in **Myanmar**. The campaign utilized updated versions of their known backdoor, TONESHELL, and introduced new post-compromise tooling, including the lateral movement tool StarProxy, two keyloggers (PAKLOG and CorKLOG), and an EDR evasion driver (SplatCloak). This activity highlights the group's continued focus on increasing malware sophistication.
## Tactics, Techniques & Procedures
- **Backdoor Usage & Updates:** Updated TONESHELL backdoor with modifications to its FakeTLS C2 communication protocol and methods for creating/storing client identifiers.
- TONESHELL variants: Simple reverse shell (Variant 1), DLL downloading/injection into legitimate processes like `svchost.exe` (Variant 2), custom TCP-based C2 communication (Variant 3).
- **Lateral Movement/Proxying:** Deployment of **StarProxy**, which uses the FakeTLS protocol to proxy traffic between infected devices and C2 servers, utilizing custom XOR-based encryption.
- **Data Collection:** Use of two new keyloggers, **PAKLOG** and **CorKLOG**, to monitor keystrokes and clipboard data. CorKLOG utilizes RC4 encryption for storing captured data and implements persistence via services or scheduled tasks.
- **EDR Evasion:** Deployment of **SplatCloak**, a Windows kernel driver launched via SplatDropper, specifically designed to disable EDR routines implemented by Windows Defender and Kaspersky.
- **Initial Access/Execution:** History of leveraging **DLL side-loading techniques** (used for PlugX malware historically, and for deploying StarProxy).
- **C2 Communication:** Use of the **FakeTLS** command-and-control protocol.
- **Persistence:** CorKLOG establishes persistence via creating services or scheduled tasks.
## Targeting
- **Sectors:** Historically known for targeting governments, military entities, minority groups, and non-governmental organizations (NGOs).
- **Geography:** Primarily East Asia, with secondary targeting in Europe. The recent activity specifically targeted an organization in **Myanmar**.
- **Victims:** An unspecified organization in **Myanmar**.
## Tools & Infrastructure
- **Malware Families Used:** TONESHELL (updated backdoor), StarProxy (lateral movement/proxy tool), PAKLOG (keylogger), CorKLOG (keylogger), SplatCloak (EDR evasion driver), SplatDropper.
- **Infrastructure:** Communication relies on the **FakeTLS** protocol for C2. StarProxy utilizes TCP sockets for communication with C2 servers, employing custom XOR-based encryption. (Specific IPs/domains are not provided in the text).
## Implications
Mustang Panda maintains a high operational tempo and is aggressively updating its toolset to enhance persistence, evasion capabilities (especially against EDR), and C2 effectiveness through custom protocols like FakeTLS. Their focus on political/sensitive targets in East Asia suggests ongoing, state-aligned espionage activities.
## Mitigations
- Monitor for execution flows involving DLL side-loading.
- Implement robust EDR solutions capable of detecting kernel driver manipulation (specifically looking for activity related to disabling Defender/Kaspersky routines).
- Analyze network traffic for communications utilizing custom encryption or non-standard TLS patterns indicative of the FakeTLS protocol.
- Monitor system for new scheduled tasks or services potentially implemented by keyloggers (CorKLOG).
- Investigate the presence of new binary artifacts like StarProxy used for internal network pivoting.