A China-based advanced persistent threat (APT) known as Mustang Panda has been linked to an ongoing cyberespionage campaign using a previously undocumented variant of the PlugX remote access trojan on infected machines.
Slovak cybersecurity firm ESET dubbed the new version Hodur, owing to its resemblance to another PlugX (aka Korplug) variant called THOR that came to light in July 2021.
“Most victims are located in East and Southeast Asia, but a few are in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan),” ESET malware researcher Alexandre Cote Cyr said in a report shared with The Hacker News.
” Known victims are research entities, ISPs and European diplomatic missions mainly located in East or Southeast Asia. “
Mustang Panda, also known as TA416, HoneyMyte, RedDelta, or PKPLUG, is a cyber espionage group that’s primarily known for targeting non-governmental organizations with a specific focus on Mongolia.
The latest campaign, which dates back to at least August 2021, makes use of a compromise chain featuring an ever-evolving stack of decoy documents pertaining to the ongoing events in Europe and the war in Ukraine.
“Other phishing lures mention updated COVID-19 travel restrictions, an approved regional aid map for Greece, and a Regulation of the European Parliament and of the Council,” ESET said. The European Council website has the final lure. This shows that the APT group behind this campaign is following current affairs and is able to successfully and swiftly react to them. “
Regardless of the phishing lure employed, the infections culminate in the deployment of the Hodur backdoor on the compromised Windows host.
“The variant used in this campaign bears many similarities to the THOR variant, which is why we have named it Hodur,” explained. “The similarities include the use of the SoftwareCLASSESms-pu registry key, the same format for [command-and-control] servers in the configuration, and use of the Static window class. “
Hodur is able to execute a wide range of commands. This allows the implant to collect extensive system information and read and write to arbitrary files. It can also launch remote cmd.exe sessions.
The findings from ESET line up with public disclosures from Google’s Threat Analysis Group (TAG) and Proofpoint, both of which detailed a Mustang Panda campaign to distribute an updated PlugX variant earlier this month.
“The decoys used in this campaign show once more how quickly Mustang Panda is able to react to world events,” Cote Cyr said. “This group also demonstrates an ability to iteratively improve its tools, including its signature use of trident downloaders to deploy Korplug. “
