Mustang Panda Target Asian Government Entities
Category: Threat Actor Activity | Industry: Government | Level: Tactical | Source: LAC
Security researcher Yoshihiro Ishikawa discovered new activity associated with threat actor Mustang Panda delivering malicious ZIP files containing new malware, Claimloader. The campaign has currently targeted the Philippine government and other related entities. However, based on the file name used, "The US-Japan-Philippines Security Triangle: Enhancing Maritime Security, Shared Strategic Outlooks, and Defense Cooperation," this campaign has the potential to be repurposed to target Japan as well. Chaimloader initiates DLL-sideloading when the compressed file is executed. The malware is capable of establishing persistence using a scheduled task and adding itself to the Run registry. Chaimloader runs shellcode to communicate with the attacker's command and control (C2) server.
- Malicious File Delivering Malware
Anvilogic Use Cases:
- Compressed File Execution
- Create/Modify Schtasks
- New AutoRun Registry Key