In 2019, the Chinese hacker group Mustang Panda aimed at government and public organizations in Asia and Europe. Cybercriminals conducted long -term cyberspilation campaigns in accordance with the strategic interests of the China government.
Until November 2022, the grouping used harmful archival files in their attacks, but now it uses another method. according to the report ECLECTICIIQ At present, Mustang Panda actively uses. Optical disks “.iso” containing malicious Yarlyki files “.LNK”. The labels are disguised as Microsoft Office Word, so it is not always possible to understand the wrong victims of the attack, a quick look.
Malicious Yarlyk file downloading the useful load Plugx
It was not without social engineering. The file distributed by hackers from Mustang Panda is called “A letter to the European Commission on Rimming Russian Oil Prices.” And in the launch parameters the command is spelled out: “C: Windows System32 CMD.exe /Q /C” System Volume Information Test2022.UCP “”.
“Test2022.UCP” in this team is an renamed legitimate software, which is originally called “LMIGUARDIARDInsvC.exe”, part of the Logmein Hamachi program to create local bridges between computers. The executable file “LMIGUARDIARDIANSVC.exe” is used by attackers to hack DLL and download Plugx encrypted bootloader under the name “Lmiguardiall.dll”. Then he cheaps up in the harmful to the attack “lmiguardiandat.dat”.
process of “unpacking” of the virus plugx
After the successful execution of the malicious Plugx is connected to the remote C2 server, which is used to send commands to compromised systems and obtain filtered data from the target network. Thus, attackers can remotely perform various commands in the infected system.
The general scheme of the attack, as a result, is as follows:
Scheme of the delivery and activation of malicious on the victim’s computer
ECLECTICIQ analysts believe that the purpose of this Primanki document was the European organization. The Mustang Panda group previously attacked European organizations in approximately the same way. Now the group remains an active threat to all of Europe and Asia. According to experts from ECLECTICIQ, Mustang Panda in the future will further increase its activity and continue to use similar attack methods in response to geopolitical events in the world.