A China-based advanced persistent threat (APT) known as Mustang Panda has been linked to an ongoing cyberespionage campaign using a previously undocumented variant of the PlugX remote access trojan on infected machines.
Slovak cybersecurity firm ESET dubbed the new version Hodur, owing to its resemblance to another PlugX (aka Korplug) variant called THOR that came to light in July 2021.
“Most victims are located in East and Southeast Asia, but a few are in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan),” ESET malware researcher Alexandre Côté Cyr said in a report shared with The Hacker News.
“Known victims include research entities, internet service providers (ISPs), and European diplomatic missions mostly located in East and Southeast Asia.”
Mustang Panda, also known as TA416, HoneyMyte, RedDelta, or PKPLUG, is a cyber espionage group that’s primarily known for targeting non-governmental organizations with a specific focus on Mongolia.
The latest campaign, which dates back to at least August 2021, makes use of a compromise chain featuring an ever-evolving stack of decoy documents pertaining to the ongoing events in Europe and the war in Ukraine.
“Other phishing lures mention updated COVID-19 travel restrictions, an approved regional aid map for Greece, and a Regulation of the European Parliament and of the Council,” ESET said. “The final lure is a real document available on the European Council’s website. This shows that the APT group behind this campaign is following current affairs and is able to successfully and swiftly react to them.”
Regardless of the phishing lure employed, the infections culminate in the deployment of the Hodur backdoor on the compromised Windows host.
“The variant used in this campaign bears many similarities to the THOR variant, which is why we have named it Hodur,” explained. “The similarities include the use of the SoftwareCLASSESms-pu registry key, the same format for [command-and-control] servers in the configuration, and use of the Static window class.”
Hodur, for its part, is equipped to handle a variety of commands, enabling the implant to gather extensive system information, read and write arbitrary files, execute commands, and launch a remote cmd.exe session.
The findings from ESET line up with public disclosures from Google’s Threat Analysis Group (TAG) and Proofpoint, both of which detailed a Mustang Panda campaign to distribute an updated PlugX variant earlier this month.
“The decoys used in this campaign show once more how quickly Mustang Panda is able to react to world events,” Côté Cyr said. “This group also demonstrates an ability to iteratively improve its tools, including its signature use of trident downloaders to deploy Korplug.”