Mustang Panda leverages Windows shortcut files. Research Saturday


Hello everyone and welcome to the cyber wires research Saturday presented by juniper networks. I'm Dave Bittner and this says our weekly conversation with researchers analysts tracking down threats and vulnerabilities and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us and now a quick word about our sponsor juniper networks NSS labs gave juniper its highest rating of recommended. Can It's twenty nineteen datacenter security gateway test get your copy of the NSS labs report. Visit juniper dot net slash secure DC or connect with juniper on twitter or facebook. That's juniper dot net slash secure D.. We see and we thank juniper for making it possible to bring you research Saturday and thanks also to our sponsor and Vale whose revolutionary zero reveal solution closes the last gap and data security protecting data in use. It's the industry's first. And only scalable salable commercial solution enabling data to remain encrypted throughout the entire processing life cycle. Imagine being able to analyze search and perform calculations relations on sensitive data. All without ever decrypted. Anything all without the risk of theft or inadvertent exposure what was once only theoretical is now possible muscle within bail learn more at N.. Vail Dot com be founders during our regular data collection. That's part of on. He's a security researcher with anomaly. The research were discussing today is titled China-based Abt Mustang Panda Enda targets minority groups public and private sector organizations this particular cluster off Indo shocked piles were peculiar because the window shortcut files. Pilots were having hedge TA fines admitted to them so which basically they are using it to download another set of malicious files from the Internet because usually take a shortcut files were not used for downloading any content from the Internet. So that's how we were able to narrow it down that there is something religious going on here and upon closer inspection. We were able to confirm that. This particular cluster of of industrial Actually used by the threat group called Mustang Mustang Panda. What can you describe for us? What exactly is a windows shortcut file and how is it? Normally used of Indo shortcut files are called us. Alan Kay files so irregular undershot. Could files will have an extension dot. Alan Kay windows. They use it to open. Applications using using window shot good finance so for example a lot of people might come across. The shot could files in the windows desktop so they just use it to call the reapplication which is towed in a different location. I see so it's a link to an actual file and like you said it's kind of put on your desktop as a shortcut to the the actual executable. Yes I say before we dig into some of the technical details here. Who Do you presume that Mustang Panda Is Targeting based on research believe Mustang. Pandas targets are the Chinese government's neighboring countries as well as the countries that are involved in Belgian road initiative so that is Mongolia and multiple South East Asian countries like Vietnam Myanmar. We also found a mother. Target countries suggests Pakistan because Marcus as one of the countries that enrolled in Belton initiative. I see in other particular picula groups within those countries that they seem to be targeting so the specific entities dot Steinbach targets are most of the government entities as Fellas are nongovernmental entities nonprofit groups D Mustang found out primarily collects geopolitical intelligence. So they primarily. Luke collect intelligence from these governments that the Mustang pond US targets. I say well. Let's dig in and go through some of the lure documents that have been sent out here before we get to that. Do you think that they're planting these documents. spearfishing or or how do you suppose folks are finding these documents on their computers. I don't have a definite answer today but I can say like most of these. APD groups they believe the standard should be using spear phishing emails to Areco to their targets. Well let's go through some of these lured documents together. You gathered quite a few of them. The research here has fifteen different documents. Why don't we go through a couple of them together? What what were some of the more interesting ones that you found but it starts off with a particular sample that targets Vietnamese Embassy that is in China China so in this case Lee believed the email has been sent to the victims? Who Work in? I'm busy off Vietnam China so this particular document talks about vowed to different activities. One is a military drill. That is going to happen in the South China Sea so the government is asking them. I'm not to let go any civilians or any fisherman's over there and the other one talks about China's latest icebreaking ship so it's just a little document but in in the background so once it has opened in the background so Payload has been installed in the background. And it's reaching out to the Saito so this is one of the sample and I'll talk about the other sample that talks about United Nations Security Council Council. So we believe this is targeting. The name think-tank in The Southeast Asian But we don't have any proof Tainting targeting it is Jolie based on the content of the document so in this case it is very interesting because this document has been downloaded from United Nations agent's website you can go to the vets Atlantic download it by the attackers. They are very clear in this case. They don't know that a real document attached to the the avondale shock profile. And then even the documentary shows that the real filename downloaded from the UN's upset and in this case. The Lou document wildly victim. Views allure documented. The backbone Doug expelled has been installed under to start communicating to the fetus. Ever so what they're doing. Here's is taking documents. What's that Their targets would likely to be interested in. They're taking the time to choose documents that they would likely want to read. That would strike their interest and taking advantage advantage of that of a bit of social engineering. There yes exactly so the targets and the lure documents are very related to each other so it gives the attackers percents bandaged. The victims will definitely open it because it is a relevant and very timely for victims. Now your research also describes how L. They've been targeting some police in Pakistan and they're using the plug smell. Where for that? Yes in that case. We didn't find the initial infection we were able to find that the declare sample voting off the IOS's that we don't find on the previous infections so in that case that was targeted against a Police Department in Banja Sind province. Well let's go through what's going on technically behind the scenes here while I'm reading this document that they've sent as is the decoy. What's going on on my machine? What tools are they using an in house communicating with command and control? What is the victim opens the window shortcut? Find a serious set of activities will happen in the background so for example once the victim opens. Stephen does There is an animated hetchy script tripped inside the File and then it opens another. VB's file so the VP skirt file performs different activities so it basically basically opens the document to the victim as well as in the background. It executes a partial strips that is going to download a plug. Knicks are cobalt strike. Depends on which payload as an adjusted for that particular victim. And then it's GonNa be out in case of cobalt strike. It's downloaded stadium. It's a reach out to the command control in the French. For the victim the lure document will be opened so none of the militias activities will be shown to the user. I mean no visible dialog. Boxes are any click yes or no. Since the Mustang Manda Group is using windows shortcut files so there. There's no need to enable or disable macos Vich by the most commonly used tactic so in this case the victim thinks that he he or she did inside open legislative document or a paedophile. And where is it reaching out to what what have you learned about the C.. Two servers there is no specific countries. He's our region that all the servers located so it's all spread across the globe. So that's about it. What sort of information does it seem like? They're interested in. What are they sending back? In this case it group is specifically interested on collecting intelligence from the neighboring countries our countries as involved in the belt initiative so at the time of research most of the leaders servers are actually down so we cannot do. Hr to the not to our economic able to find what exactly does trying to accelerate from the victim because all the activity that the militias sheltered files status it installs the the first stage payload and it's GonNa retrieve the second level payload from server so once the victim receives the second Lowell payload it has gone upper from the next set of activities. And what are your recommendations in terms of people protecting themselves against this be very about deamid start your opening because the most common infection vector is the email so please be valuable. What's your opening and especially emails attachments? So it was just the sort of thing that antivirus would catch or endpoint protection. In this case I would say no because there is no malicious payloads or any other Khalifa's activities are embedded here. It's just a plain window shocker file and it's all it's going to be having a citizen you are just giadonalds Level Payload in this case even the next day or the day Mustang Panda or using legislates joke service as like a google drive. DROPBOX are publicly known story services to retrieve their second lower payload so de Ante whereas in this case you're not be enough to help and our thanks to parsipone from anomaly for joining us. The research is titled China based ABT Mustang Panda targets minority groups public and private sector organizations. We'll have a link in the show notes thanks to juniper networks for sponsoring our show you can learn more at juniper dot the nets slash security or connect with them on twitter or facebook and thanks to unveil for their sponsorship. You can find out how they're closing the last gap and data security purity at Vail Dot com. The cyber wire research. Saturday proudly produced in Maryland out of the startup studios of data tribe. Where they're co- building the next generation of cybersecurity teams technology the coordinating producer has Jennifer Ibon are amazing? Cyber Wire team is Stefan Missouri. Kelsey bond. Tim No Dr Joe Kerrigan Kerio. Nick Valenki Bennett. Mo- Chris Russell. John Patrick Peter. Kilby and I'm Dave Bittner. Thanks for listening

Coming up next