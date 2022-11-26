



State-funded Chinese hackers launched a spear-phishing campaign, sending bespoke malware stored in Google Drive to international governments, academic institutions and research institutions, according to cybersecurity researchers.

The attacks were observed by researchers between March and October of this year and are attributed to a cyber espionage operation known as Mustang Panda. This threat group is also known by the names Bronze President and TA416.

Analysts at Trend Micro have revealed that threat operators are primarily targeting organizations based in Australia, Taiwan, Myanmar, Japan, and the Philippines. The hacker used his Google account to send malicious phishing his messages, tricking the victim into downloading customized malware from her dedicated Google Drive link.

Malware infection details

In a recent report, Trend Micros researchers said hackers used messages with geopolitical themes. Over 80% of his investigated messages targeted law or government agencies.

To bypass security measures, the included embedded links point to Dropbox folders or Google Drive. Both of these are trustworthy and trustworthy platforms that are usually not questionable. The links lead users to download compressed files containing custom malware strains such as ToneShell, PubLoad, and ToneIns.

In its report, Trend Micro explains the infection process of Mustang Panda. It commented:

“Email subject may be empty or have the same name as a malicious archive. I used my email. On the other hand, the actual victim’s address is written in the “CC” header, which can evade security analysis and delay investigations. ”

Hackers utilized a variety of malware loading routines, but the infection process commonly involved DLL sideloading that was executed after the target launched a specific executable file present within the archive. However, the victim’s decoy document was brought to the fore to minimize suspicion.

Types of malware employed by attackers

Of the three different custom malware used in the attack (ToneShell, PubLoad, and ToneIns), only PubLoad has been previously documented. A report released by Cisco Talos in May of this year referred to an attack campaign targeting Europe.

PubLoad is designed to be a stager that can add registry keys, create scheduled tasks, crack shellcode, and create persistence when handling command and control server communication.

According to Trend Micro, recent editions of PubLoad come with much stronger anti-analysis mechanisms. This suggests that Mustang Panda is now actively improving its malicious tools to increase their efficiency.

ToneIns is a dedicated installer for the malware strain ToneShell, a standalone backdoor used in recent threat campaigns. Utilize obfuscation to avoid detection while loading ToneShell. At the same time, it establishes persistence in compromised systems.

ToneShell is a backdoor that loads directly into memory. Use code flow obfuscation by implementing a custom exception handler. This also thwarts an analyst’s attempt to use a sandbox, as the backdoor will not run in an environment designed for debugging.

