Amid Military Buildup, China Deploys Mustang Panda in the Philippines

Share This Post

During a dramatic military buildup in the South China Sea this summer, a Chinese state-linked advanced persistent threat (APT) managed to compromise an entity within the Philippine government using a remarkably simple sideloading technique.

The culprit, Mustang Panda — known variously as Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, Red Delta, and tracked by Palo Alto Networks’ Unit 42 as Stately Taurus — has spied on high-profile government and government-adjacent organizations over the Web since at least 2012.

In one recent case, outlined by Unit 42 on Nov. 17, the group carried out three similar campaigns against South Pacific organizations, including one which led to successful five-day compromise of the Philippine government organization.

Mustang Panda’s Simple TTPs

Beginning in early August, when the Chinese coast guard blocked and fired water cannons at Philippine supply ships, the two South Pacific nations engaged in a months-long, increasingly serious melodrama of the kind often seen in the South China Sea.

During the military tête-à-tête, it seems, China’s hackers were simultaneously attacking Philippine organizations in cyberspace.

During the first half of the month, China’s Mustang Panda conducted three attacks in the South Pacific which, aside from a few minor differences, followed largely the same playbook.

Each began with a ZIP file, typically hosted on Google Drive. The malware package would be given a legitimate sounding name like “NUG’s Foreign Policy” Once extracted, it would reveal just one EXE file with a similarly legitimate sounding name like “Labour Statement.exe.”

The file would be no more than a renamed copy of Solid PDF Creator, a legitimate application for converting documents to PDFs. The trick was that launching the app would sideload a second file — a dynamic link library (DLL), hidden inside of the original ZIP. The DLL would provide the attackers a point to which they could establish command-and-control (C2).

Dealing With Mustang Panda

Throughout the month of August, Mustang Panda conducted its espionage from one of its known IP addresses based in Malaysia. It thinly attempted to mask its malicious traffic by mimicking a Microsoft domain, “[.]com.”

Unit 42 researchers discovered multiple such malicious communications between the IP address in question and the Philippine government entity, between the period of Aug. 10-15. The exact data that might have been transferred in that period, or in any related August attack, remains unknown.

Unit 42 analysts recommend that organizations deploy machine learning-enabled firewalls, XDR, and threat intelligence solutions since, they wrote in their blog, “Stately Taurus continues to demonstrate its ability to conduct persistent cyberespionage operations as one of the most active Chinese APTs.”

This post was originally published on this site

More Articles


Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.


BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.