Mustang Panda Malware

What Is Mustang Panda Malware?

Mustang Panda (AKA Bronze President, HoneyMyte, RedDelta, Red Lich, Earth Preta, PKPLUG, and TA416) is attributed to China-based threat actors. Mustang Panda cyberattacks have targeted foreign governments, NGOs, and other organizations considered enemies of the Chinese communist regime. Attacks have focused on Taiwan, Hong Kong, Myanmar, Mongolia, Vietnam, the Catholic Vatican, and China-based religious minority groups. Mustang Panda was first observed by threat researchers in 2017 but has been active since 2012. 

Mustang Panda uses well-forged spear phishing campaigns employing targets' native languages to impersonate government services organizations and leveraging current international events such as COVID-19 and the Russian-Ukraine conflict to coerce interactions.

Mustang Panda uses a limited set of distinct TTP in its attack campaigns—primarily customized versions of the PlugX (AKA Korplug) malware strain. Mustang Panda attacks typically start with a malicious portable executable file (.exe) payload delivered via a spear-phishing attack, but have also been delivered via Microsoft shortcut (.LNK) files containing an embedded HTA (HTML application) and VBScript or PowerShell script. If delivered via .exe executable, the malicious payload is typically masked with a custom icon designed to look like that of a Microsoft Office document and a double extension such as ".doc.exe" to trick victims into believing it is an ordinary Office document. When executed by the victim, an actual Office document is opened; in the background, the first-stage payload deploys.

The executable contains multiple packed components, including a legitimate signed binary such as the Microsoft Suite Integration Toolkit, Adobe application, or another legitimate executable with a known DLL side-loading vulnerability. Using a legitimate signed binary allows the payload to be undetected by less sophisticated security products, while using software with a known DLL hijacking vulnerability allows malicious code to be run under the context of the legitimate application. This attack technique typically side-loads a custom variant of the PlugX malware payload. 

The PlugX malware then downloads a second-stage command and control (C2) application, such as the Poison Ivy remote administration tool or Cobalt Strike Beacon, to establish a connection with a Mustang Panda-controlled server. Mustang Panda commonly uses simple XOR encryption with the key "123456789" to encrypt its C2 communication in transit.

Mustang Panda's malware tool of choice, PlugX, uses HTTP POST methods for communication which usually contain a signature "x-content" or "jsp-si" header with the value "61456"—a clear indicator of a PlugX HTTP POST connection. Network traffic analysis may also identify XOR encrypted communication using the key "123456789". The group behind Mustang Panda also uses spoofed domains such as microsaft dot com in its malicious links to trojanized files, a tactic not unique to Mustang Panda.

How to Prevent a Mustang Panda Attack

Mustang Panada tends to prey on targets with unsophisticated cybersecurity defenses. Mustang Panda employs techniques such as XOR encrypting C2 communication using a static encryption key that advanced cybersecurity solutions could easily detect. Nonetheless, it is essential to implement measures that can prevent a Mustang Panada attack such as:

  • Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents
  • Maintain up-to-date antivirus signatures and engines on all security products
  • Use a content proxy to monitor internet usage and restrict user access to suspicious or risky sites

Blackberry® Cylance®, which offers a predictive advantage over zero-day threats, is effective against malware like Mustang Panda. Blackberry Cylance trains artificial intelligence (AI) agents for threat detection using millions of both safe and unsafe files.

Blackberry Cylance prevents malware variants from executing based on the detection of several malicious file attributes, not a specific file signature. This approach allows our customers to implement a prevention-first security posture effective against unknown, emerging, and polymorphic threats as well as traditional threats.