The China-sponsored hacking group, Mustang Panda, has been uncovered by Zscaler ThreatLabz to employ new techniques and tools, including the updated backdoor ToneShell and a novel tool named StarProxy, to evade endpoint detection and response (EDR) systems.
Mustang Panda’s New Techniques
Mustang Panda, known for targeting government and military entities primarily in East Asia, has been found executing attacks from two machines within an organization in Myanmar.
The group’s tools are hosted on a staging server, showcasing their persistent activity in the region.
.png
)
The recent campaign focuses on deploying new variants of the backdoor ToneShell, which now incorporates changes in its command-and-control (C2) communication protocol.
Specifically, ToneShell employs a modified FakeTLS protocol, aiming to mimic the TLS handshake of secure internet traffic, thus blending malicious traffic with legitimate communications to evade detection.
Further examination by ThreatLabz revealed a tool termed StarProxy, which facilitates lateral movement within compromised networks.
This tool uses command-line arguments to specify the IP address and port for communication, leveraging the FakeTLS protocol to encrypt traffic between devices and their C2 servers.
StarProxy bundles with a legitimate and signed binary, IsoBurner.exe, and a malicious DLL, StarBurn.dll, which is invoked upon execution.
It ensures continuous beaconing to receive commands from the C2, encrypting all messages with a custom XOR-based algorithm, which uses hardcoded keys for encryption and decryption.
Key Takeaways
- ToneShell Variants: New iterations of ToneShell feature different methods for generating client identifiers and use rolling XOR keys of varied sizes for network traffic encryption.
- DLL Sideloading: All malicious payloads are packed in RAR archives alongside legitimate, signed binaries, exploiting DLL sideloading for execution.
Mustang Panda’s evolution in tactics, techniques, and procedures (TTPs) demonstrates their adaptability and sophistication in evading security measures like EDR.
This development highlights the need for organizations, particularly in target-rich environments, to enhance their detection capabilities and stay updated with evolving cyber threats.
As Mustang Panda continues to refine its tools and evasion strategies, cybersecurity professionals must remain vigilant and proactive in their defense mechanisms to combat such advanced persistent threats (APTs).
Indicators Of Compromise (IOCs)
Here are the key IOCs associated with Mustang Panda’s recent activities:
| MD5 Hash | Filename | Description |
|---|---|---|
| 233214d22659aa85f32bb705812a0b22 | cf.rar | RAR archive hosted on attacker’s server |
| b695a31ea90e61cc08da1837d836655a | libcef.dll | ToneShell DLL |
| 4fefc66a0f7e1b2ed8affc9c3ba66ec7 | mrender.exe | Legitimate signed binary |
| 91d8b31259d8602539fb6eaa0588d6521bf01299ccd8ed830abfe2ace7aea54d | client.rar | RAR archive hosted on the server |
| c1d24a5cb1d57a91cf4a717425bd0d46b4436d14d7f4744fa8dfbb22609f57a8 | IsoBurner.exe | Legitimate and signed binary |
| 63aa30c452e4dc0aa2324ce891da1acfa90ce85476d2dd7ab85ff448f913af5e | StarBurn.dll | Malicious DLL – StarProxy |
- Network Indicators: URL: 103.13.31[.]75/heugojhgriuhn78867jhkbjkdgfhuie78/jhegiokj7889seghjegh786jkhegfukj/
- C2 Domains: www.dest-working[.]com, www.profile-keybord[.]com
- C2 IP addresses: 43.229.79[.]163, 43.254.132[.]217
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
