China-linked hackers target Myanmar’s top ministries with backdoor blitz

China-Linked Hackers

The China-based threat actor known as Mustang Panda It is believed to have targeted Myanmar’s Ministry of Defense and Foreign Affairs as part of dual campaigns designed to deploy backdoors and remote access Trojans.

The findings come from CSIRT-CTI, which states that the activities took place in November 2023 and January 2024 after artifacts associated with the attacks were uploaded to the VirusTotal platform.

“The most prominent of these TTPs involves the use of legitimate software, including a binary developed by engineering firm Bernecker & Rainer (B&R) and part of the Windows 10 Upgrade Assistant to sideload malicious dynamic-link libraries (DLLs),” CSIRT-CTI said.

Mustang Panda, in business since at least 2012, is also recognized by the cybersecurity community under the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, Red Lich, Stately Taurus and TEMP.Hex.

In recent months, the adversary has been blamed for attacks targeting an unnamed Southeast Asian government and the Philippines to create backdoors that could collect sensitive information.

The November 2023 infection sequence begins with a phishing email containing a booby-trapped ZIP archive attachment containing a legitimate executable (“NDSC.exe 3rd meeting analysis”) originally signed by B&R Industrial Automation GmbH and a DLL file (“BrMod104 .dll”).

The attack takes advantage of the fact that the binary is prone to DLL query hijacking side-load the rogue DLL and then establish persistence and contact with a command-and-control (C2) server and retrieve a known backdoor called PUBLOAD, which in turn acts as a custom loader to drop the PlugX implant.

China-linked hackers

‘The threat actors are trying to conceal the threat [C2] traffic while Microsoft updates the traffic by adding the headers ‘Host:’ and ‘User-Agent: Windows-Update-Agent’,” CSIRT-CTI noted, mirroring a May campaign 2023 revealed by Lab52.

On the other hand, the second campaign spotted earlier this month uses an optical disc image (“ASEAN Notes.iso”) with LNK shortcuts to trigger a multi-phase process that uses another custom loader called TONESHELL , to probably deploy PlugX from a now-inaccessible C2 server.

It is worth noting that a similar attack chain was previously attributed to Mustang Panda unearthed by EclecticIQ in February 2023 in burglaries targeting governments and public sector organizations in Asia and Europe.

“According to the rebel attacks in northern Myanmar [in October 2023]China has expressed concerns about its impact on trade routes and security around the Myanmar-China border,” CSIRT-CTI said.

“Stately Taurus operations are known to align with the Chinese government’s geopolitical interests, including multiple cyber espionage operations against Myanmar in the past.”

#Chinalinked #hackers #target #Myanmars #top #ministries #backdoor #blitz

Notify of
Inline Feedbacks
View all comments
Previous Post
Critical Vulnerability in iOS, iPadOS, and macOS

CISA warns against active exploitation of critical flaws in Apple iOS and macOS

Next Post

URGENT: Upgrade GitLab – Critical error creating workspace allows file overwriting

Related Posts