According to cybersecurity company Trend Micro, the cyberespionage group Mustang Panda has recently conducted a campaign targeting a range of entities, including those involved in maritime, shipping, border control, and immigration.
Also known as Earth Preta, RedDelta, and TA416, Mustang Panda is believed to be operating on behalf of the Chinese government. Previously, the group was seen targeting European diplomatic entities and various telecommunications companies. Trend Micro recently analyzed several attacks observed in 2022 and found that Mustang Panda coordinates several subgroups in a collaborative effort to gather sensitive information from the targeted entities. The group has been seen targeting transportation, government, manufacturing, fabrication, construction, education, finance, food production, border and immigration control, and energy sectors, as well as humanitarian groups.
Trend Micro discovered that each of the operational groups uses its own intrusion and privilege escalation methods, but coordination and planning appear to be lacking at the management level, as the groups might sometimes target the same entity, pursuing similar objectives. Three subgroups have been identified, including Groups 724, 1358, and 5171, each typically operating in different sectors and geographies.
Group 724 uses customized USB storage devices for initial access and relies on sideloading with Adobe CEF Helper for persistence. Group 1358, which relies on Avast’s WSC DLL for sideloading and WMI for code execution, uses the PlugX remote access tool (RAT) for data exfiltration, typically via USB drives. Group 5171 also uses DLL sideloading with Adobe CEF Helper and employs USB-based data exfiltration. What separates it from the other groups is the infection of laptops with malicious code when traveling as part of a routine work travel, which then leads to more elaborate exploitation and lateral movement.
Overall, Trend Micro concluded that “Earth Preta’s cyberespionage operations have a broad reach and have the capacity to target high value targets. The shift in collection priorities toward intelligence regarding specific areas also indicates that Earth Preta is targeting critical infrastructure and key institutions that can affect national and international relations, economies, and securities.”
Key Points:
- Chinese cyberespionage group Mustang Panda is believed to be operating on behalf of the Chinese government.
- The group has been targeting entities related to maritime, shipping, border, and immigration.
- Trend Micro identified more than 200 Mustang Panda victims, across various sectors and geographies.
- Three subgroups have been identified, each using its own intrusion and privilege escalation methods.
- Mustang Panda is targeting critical infrastructure and key institutions that can affect national and international relations, economies, and securities.