Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023
Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023
Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023
Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023
Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – Multiple IBM Cognos Analytics Vulnerabilities
August 4, 2023
Rewterz Threat Advisory – ICS: Multiple Mitsubishi Electric Products Vulnerabilities
August 4, 2023
Severity
High
Analysis Summary
MustangPanda, aka Bronze President and TA416, has been active since at least 2012. This threat actor targeted government agencies, think tanks, NGOs, and even Vatican-affiliated religious institutions in the United States and Europe. Asian countries, such as Taiwan, Hong Kong, Mongolia, Tibet, and Myanmar, were the main focus of the past campaigns. The group is notorious for creating phishing lures based on current events that might interest its target, for example, Covid-19 pandemic, political subjects, and most trending issues like Russian-Ukrainian cyber warfare.
The Trojan application PlugX has been the most popular malicious implant utilized by Mustang Panda and is still the preferred spying weapon for the group. The recent Mustang Panda activity involves the use of DLL side-loading to deliver PlugX. The initial infection vector is an executable downloaded from a remote URL. The executable is responsible for installing the malware by dropping the required files (a DLL loader, a legitimate binary, and the PlugX payload) onto the system. The legitimate binary is the Adobe CEF Helper and is vulnerable to DLL side-loading. When the installer runs the legitimate binary, the dropped DLL is loaded. This DLL is the loader for the final payload. First, it reads a hardcoded .dat file that contains the XOR key for decrypting the final payload, then it performs the decryption and loads the malware into memory. Once running in memory, the PlugX payload is able to decrypt its configuration data, which includes its installation location, the XOR key for C2 communication, and any C2 addresses and ports.
This APT group has been active for many years and is known to use a variety of tactics and techniques to compromise target systems, including spear-phishing campaigns, custom malware, and exploiting vulnerabilities in popular software. MustangPanda is considered to be one of the more sophisticated APT groups, and it is known for its ability to maintain a persistent presence within target networks and exfiltrate large amounts of sensitive data without being detected.
Impact
- Information Theft
- Exposure To Sensitive Data
Indicators of Compromise
MD5
- 702713b321bbc60c835d29040f8f0844
- 6f29f08a5336277f67e773851ec2a361
- 999a2ca96b0498926e678a68c5bbb34c
- 6741bf0c527f55a80ba89283f113f293
SHA-256
- 8b2a2465ddba58008b5a5e12ed81f30c390344b81be10b23c19cd92f6d1a6b5c
- 940f885a5be451f4751f60c8f9a172a5751504c1fee0097414e89bc281fc5722
- eef7df669ea8e23539b0f8f9a3d541bbfaa4b95d6d8b6bdb60e62fe08ebb992d
- eb176117650d6a2d38ff435238c5e2a6d0f0bb2a9e24efed438a33d8a2e7a1ea
SHA-1
- 67dcb0c503923b057e571a75f1ff8f0cb231bb2b
- a1b6bd9037eb6c2d08a70fcac4936f058645dd2f
- 7e58c568e599172ba66d1fb218aae6d518384363
- a97ad4fb04fc76547a993165138102fbed8d6058
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.
- Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
- Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets