Overview
The Anomali Threat Research Team has identified an ongoing campaign which it believes is being conducted by the China-based threat group, Mustang Panda. The team first revealed these findings on Wednesday, October 2, during Anomali Detect 19, the company’s annual user conference, in a session titled: “Mustang Panda Riding Across Country Lines.”
CrowdStrike researchers first published information on Mustang Panda in June 2018, after approximately one year of observing malicious activities that shared unique Tactics, Techniques, and Procedures (TTPs).[1] This campaign dates back to at least November 2018. The research does not indicate with absolute certainty which entities are being targeted or the impact the campaign has had. Based on the lure documents observed by Anomali, we believe that the following may be targeted:
Individuals interested in the United Nations’ Security Council Committee resolutions regarding the Islamic State in Iraq and the Levant (ISIL / Da’esh)
Mongolian-based MIAT Airlines
Non-profit China Center (China-Zentrum e.V.); according to its website, this officially recognized nonprofit organization’s aim is to foster encounters and exchange between cultures and religions in the West and in China
Targeted countries including but not limited to Germany, Mongolia, Myanmar (Burma), Pakistan, Vietnam
The Communist Party of Vietnam (CVP)
The Shan Tai; a group of people living in Southeast Asia, which Minority Rights Group International describes as a “minority” in the region, with members who are primarily Theravada Buddhists
The malicious activity found by Anomali aligns with TTPs, specifically two through six, first identified by CrowdStrike. The observed TTPs consist of the following:
Use of zip file that contains a “.lnk” (Windows Shortcut) file.
Utilization of double extension trick (sample.doc.lnk) to convince users to open the file.
HTA (HTML Application) with VBScript embedded in the “.lnk” file
VBScript drops payl ..
Support the originator by clicking the read the rest link below.
