During a dramatic military buildup in the South China Sea this summer, a Chinese state-linked advanced persistent threat (APT) managed to compromise an entity within the Philippine government using a remarkably simple sideloading technique.
The culprit, Mustang Panda — known variously as Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, Red Delta, and tracked by Palo Alto Networks’ Unit 42 as Stately Taurus — has spied on high-profile government and government-adjacent organizations over the Web since at least 2012.
In one recent case, outlined by Unit 42 on Nov. 17, the group carried out three similar campaigns against South Pacific organizations, including one which led to successful five-day compromise of the Philippine government organization.
Mustang Panda’s Simple TTPs
Beginning in early August, when the Chinese coast guard blocked and fired water cannons at Philippine supply ships, the two South Pacific nations engaged in a months-long, increasingly serious melodrama of the kind often seen in the South China Sea.
During the military tête-à-tête, it seems, China’s hackers were simultaneously attacking Philippine organizations in cyberspace.
During the first half of the month, China’s Mustang Panda conducted three attacks in the South Pacific which, aside from a few minor differences, followed largely the same playbook.
Each began with a ZIP file, typically hosted on Google Drive. The malware package would be given a legitimate sounding name like “NUG’s Foreign Policy Strategy.zip.” Once extracted, it would reveal just one EXE file with a similarly legitimate sounding name like “Labour Statement.exe.”
The file would be no more than a renamed copy of Solid PDF Creator, a legitimate application for converting documents to PDFs. The trick was that launching the app would sideload a second file — a dynamic link library (DLL), hidden inside of the original ZIP. The DLL would provide the attackers a point to which they could establish command-and-control (C2).
Dealing With Mustang Panda
Throughout the month of August, Mustang Panda conducted its espionage from one of its known IP addresses based in Malaysia. It thinly attempted to mask its malicious traffic by mimicking a Microsoft domain, “wcpstatic.microsoft[.]com.”
Unit 42 researchers discovered multiple such malicious communications between the IP address in question and the Philippine government entity, between the period of Aug. 10-15. The exact data that might have been transferred in that period, or in any related August attack, remains unknown.
Unit 42 analysts recommend that organizations deploy machine learning-enabled firewalls, XDR, and threat intelligence solutions since, they wrote in their blog, “Stately Taurus continues to demonstrate its ability to conduct persistent cyberespionage operations as one of the most active Chinese APTs.”