The China-linked threat actor known as Mustang Panda has been attributed to a cyber attack targeting an unspecified organization in Myanmar with previously unreported tooling, highlighting continued effort by the threat actors to increase the sophistication and effectiveness of their malware.
This includes updated versions of a known backdoor called TONESHELL, as well as a new lateral movement tool dubbed StarProxy, two keyloggers codenamed PAKLOG, CorKLOG, and an Endpoint Detection and Response (EDR) evasion driver referred to as SplatCloak.
“TONESHELL, a backdoor used by Mustang Panda, has been updated with changes to its FakeTLS command-and-control (C2) communication protocol as well as to the methods for creating and storing client identifiers,” Zscaler ThreatLabz researcher Sudeep Singh said in a two-part analysis.
Mustang Panda, also known as BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, and RedDelta, is a China-aligned state-sponsored threat actor active since at least 2012.
Known for its attacks on governments, military entities, minority groups, and non-governmental organizations (NGOs) primarily in countries located in East Asia, and to a lesser extent in Europe, the group has a history of leveraging DLL side-loading techniques to deliver the PlugX malware.
However, since late 2022, campaigns orchestrated by Mustang Panda have begun to frequently deliver a bespoke malware family called TONESHELL, which is designed to download next-stage payloads.
Zscaler said it discovered three new variants of the malware that come with varying levels of sophistication –
Variant 1, which acts as a simple reverse shell
Variant 2, which includes functionality to download DLLs from the C2 and execute them by injecting the DLL into legitimate processes (e.g., svchost.exe)
Variant 3, which includes functionality to download files and create a sub-process to execute commands received from a remote server via a custom TCP-based protocol
A new piece of software associated with Mustang Panda is StarProxy, which is launched via DLL side-loading and is designed to take advantage of FakeTLS protocol to proxy traffic and facilitate attacker communications.
“Once active, StarProxy allows attackers to proxy traffic between infected devices and their C2 servers. StarProxy achieves this by utilizing TCP sockets to communicate with the C2 server via the FakeTLS protocol, encrypting all exchanged data with a custom XOR-based encryption algorithm,” Singh said.
“Additionally, the tool uses command-line arguments to specify the IP address and port for communication, enabling attackers to relay data through compromised machines.”
StarProxy activity
It’s believed that StarProxy is deployed as a post-compromise tool to access internal workstations within a network that are not directly exposed to the internet.
Also identified are two new keyloggers, PAKLOG and CorKLOG, that are used to monitor keystrokes and clipboard data. The primary difference between the two is that the latter stores the captured data in an encrypted file using a 48-character RC4 key and implements persistence mechanisms by creating services or scheduled tasks.
Both the keyloggers lack data exfiltration capabilities of their own, meaning they solely exist to collect the keystroke data and write them to a specific location and that the threat actor uses other methods to transmit the files to their infrastructure.
Capping off the new additions to the Mustang Panda’s malware arsenal is SplatCloak, a Windows kernel driver deployed by SplatDropper that’s equipped to disable EDR-related routines implemented by Windows Defender and Kaspersky, thereby allowing it to fly under the radar.
“Mustang Panda demonstrates a calculated approach to achieving their objectives,” Singh said. “Continuous updates, new tooling, and layered obfuscation prolongs the group’s operational security and improves the efficacy of attacks.”
UNC5221 Drops New Versions of BRICKSTORM Targeting Windows
The disclosure comes as the China-nexus cyber espionage cluster named UNC5221 has been connected to use of a new version of the BRICKSTORM malware in attacks aimed at Windows environments in Europe since at least November 2022, according to Belgian cybersecurity firm NVISO.
BRICKSTORM, first documented last year in connection with the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) against the MITRE Corporation, is a Golang backdoor deployed on Linux servers running VMware vCenter.
“It supports the ability to set itself up as a web server, perform file system and directory manipulation, perform file operations such as upload/download, run shell commands, and perform SOCKS relaying,” Google Mandiant said in April 2024. “BRICKSTORM communicates over WebSockets to a hard-coded C2.”
The newly identified Windows artifacts, also written in Go, provide attackers with file manager and network tunneling capabilities through a panel, enabling them to browse the file system, create or delete files, and tunnel network connections for lateral movement.
They also resolve C2 servers through DNS-over-HTTPS (DoH), and are engineered to evade network-level defenses like DNS monitoring, TLS inspection, and geo-blocking.
“The Windows samples [..] are not equipped with command execution capabilities,” NVISO said. “Instead, adversaries have been observed using network tunneling capabilities in combination with valid credentials to abuse well-known protocols such as RDP or SMB, thus achieving similar command execution.”
