Joe Levy
Sophos X-OpsUnder investigation: During a recent threat hunt for DLL sideloading abuse leveraging vmnat.exe, Sophos X-Ops uncovered a likely nation-state campaign targeting an organization in Southeast Asia. Aligning closely with techniques previously attributed to the Mustang Panda threat group, we unraveled a complex and sustained intrusion. 1/7
The threat actor began by deploying #PlugX (mscorsvc.dll) by using native #WMIC to multiple systems, including a #hypervisor. 2/7
After some time, they followed with discovery using the multipurpose tool #Ursu (chrome.log) and then attempted to moved laterally using the popular #Impacket and #smbexec tools but were blocked, which forced them to pivot using #RDP with valid accounts. 3/7
https://www.virustotal.com/gui/file/91f40e8659da3dbbb22497b317aa37f26403be86662e359ecddcb4a0c72e154c
https://www.virustotal.com/gui/file/91f40e8659da3dbbb22497b317aa37f26403be86662e359ecddcb4a0c72e154c
They took advantage of two uncommon #LOLbins, #INSTSRV.exe and #SRVANY.exe for both proxy execution and privilege escalation. Additionally, the attacker later bypassed Windows #UAC using “c:\users\public\melt_64.exe” for DLL #sideloading, a technique documented by Avast. 4/7
Hitching a ride with Mustang Panda - Avast Threat Labs
Avast discovered a distribution point where a malware toolset is hosted, but also serves as temporary storage for the gigabytes of data being exfiltrated on a daily basis, including documents, recordings, and webmail dumps including scans of passports from Asian, American and European citizens and diplomats applying for Burmese visas, from Burmese human rights activists […]
To maintain access, they installed a previously unknown version of the #PhantomNet backdoor connected to associate[.]freeonlinelearningtech[.]com, similar to that flagged in a recent Twitter post by #Group-IB. Notably, the attacker hid their c2 #persistence in plain sight, using scheduled tasks to execute “text files,” which were in fact #DLLs. 5/7
Group-IB Threat Intelligence on Twitter
“Susp #APT #TA428 activity. Our team has discovered a #PhantomNet (#SManager), which was uploaded to VT from Singapore: https://t.co/AcPBRHxoA5 C2: associate[.]feedfoodconcerning[.]info:443 associate[.]freeonlinelearningtech[.]com:443 associate[.]freeonlinelearningtech[.]com:8443”
Things get interesting when it comes to #exfiltration, as the attacker used a tool that is customized and not widely available.
#Nupakage, as reported by Trend Micro, requires a passcode to execute and supports file chunking and collecting files within a specific date range and is associated with Mustang Panda (aka Earth Preta, as Trend refers to them). 6/7
https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html
Earth Preta Updated Stealthy Strategies
After months of investigation, we found that several undisclosed malware and interesting tools used for exfiltration purposes were being used by Earth Preta. We also observed that the threat actors were actively changing their tools, tactics, and procedures (TTPs) to bypass security solutions. In this blog entry, we will introduce and analyze the other tools and malware used by the threat actor.
This is just an early preview of an interesting case. We are looking forward to sharing more, including detailed attack flow information, with the community in the coming weeks. 7/end