Anti-Phishing, DMARC , Cybercrime , Cyberwarfare / Nation-State Attacks

Chinese APT Using Google Drive, Dropbox to Drop Malware

Evolved Mustang Panda Malware Targets Government, Education, Other Sectors Globally
Chinese APT Using Google Drive, Dropbox to Drop Malware

China-based advanced persistent threat actor Mustang Panda has launched a new wave of spear-phishing attacks on global government, educational and scientific sectors.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Cybersecurity firm Trend Micro observed the group - as Earth Preta, also known as Mustang Panda and Bronze President - using fake Google accounts to distribute malware stored in archive files and distributed through links to Google Drive. The main targets hit so far are organizations in Myanmar, Australia, the Philippines, Japan and Taiwan.

Mustang Panda attacks date back to 2012 and are typically related to cyberespionage, but the group has evolved to focus its spear-phishing attacks on a wider range of organizations. Using new tactics, Earth Preta operators lure users into downloading and triggering bespoke malware such as TONEINS, TONESHELL and PUBLOAD. They also use code obfuscation and custom exception handlers to avoid detection.

PUBLOAD, stager malware that can download the next-stage payload from its command-and-control server, was first discovered by researchers at Cisco Talos in May 2022.

PUBLOAD is capable of creating a directory in the victim's machine where it drops all the malware, including a malicious DLL and a legitimate executable. It then tries to establish persistence.

The latest findings show that the same individuals sending the spear-phishing emails own the Google Drive links.

Analysis of sample decoy documents indicate the attackers conducted research from "prior breaches on the target organizations that allowed for familiarity, as indicated in the abbreviation of names from previously compromised accounts."

Initial Attack Vector

Researchers found that decoy documents used in the campaign are written in Burmese and most of the topics concerned controversial issues between countries, containing words such as "Secret" or "Confidential." Attackers also lure individuals with subject headings pertaining to pornographic materials.

"Once the group has infiltrated a targeted victim's systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions. This strategy largely broadens the affected scope in the region involved," the researchers say. The group's primary target appears to be countries in the Asia-Pacific region.

"The victimology covers a broad range of organizations and verticals worldwide, with a higher concentration in the Asia-Pacific region. Apart from the government offices with collaborative work in Myanmar, subsequent victims included the education and research industries," they add.

Apart from using Google Drive, threat actors also used Dropbox links or other IP addresses hosting the files. The researchers said the archives collected had legitimate executables, as well as the side-loaded DLL, but the names of the archives and the decoy documents vary in each case.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.