Mustang Panda’s New Korplug Variant

Industry: Diplomatic, Internet Service Provider, Research | Level: Tactical | Source: WeLiveSecurity

The analysis provided by ESET researchers shares activity from the threat actor group, Mustang Panda conducting a long active campaign dating back to August 2021. The Chinese-based threat group has a focus geographically on targets in East and Southeast Asia with Mongolia in particular. Impacted verticals include diplomatic, internet service providers and research entities. The group's phishing campaigns have utilized lures associated with the COVID-19 travel restrictions, geopolitical matters, as well as the Russia and Ukraine conflict. ESET research has identified the group's threat campaign utilizes a new Korplug Variant in their malware arsenal, the campaign observed involved "heavy use of control-flow obfuscation and anti-analysis techniques at every stage of the deployment process." Following the download of malicious payloads, the malware conducts internet connectivity checks. As part of the Korplug backdoor, a check is conducted to ensure that the RAT is not executed by a generic process such as rundll32. When installed on the victim host, the malware creates persistence in the run registry and after will communicate with command and control (C2) for additional commands.

• Anvilogic Use Cases:
• Executable File Written to Disk
• New AutoRun Registry Key
• Command and Control Beaconing via WEB