Hitching a ride with Mustang Panda
Early this year, we stumbled upon a distribution server connected to security incidents affecting various institutions in Myanmar. A brief investigation revealed that the server was used for multiple attacks across the country, as well as a transition point for exfiltrated data.
Further inspection of the exfiltrated data revealed many high-profile government victims including police, army, and the Office of the State Administrative Council. Various political NGOs and the government opposition, including Karenni Nationalities Defense Force (the armed wing of the exile government), were also among the victims. Many sensitive documents were found on the server, for instance documents from the Office of the Chief Myanmar Air Defense Force with a list of staff along with their salaries, photo IDs, and family details. Gigabytes of data were exfiltrated on a daily basis, hinting at a large-scale operation. The Ministry of Immigration and Population was also breached, and thus passport scans from visa applicants, including diplomats, from various countries such as China, USA, and Great Britain were found.
The distribution server contained dozens of archives with various toolsets, some of them novel, while others were previously described and linked to the Mustang Panda group. The toolsets could be grouped into two groups: The first typically contained Korplug or other custom remote access tools. These were often accompanied by an USB launcher written in Delphi that has been previously associated with LuminousMoth. The second contained single-purpose tools that were selectively used against the targets.
Surprisingly, the group’s operational security was also rather poor, allowing us to map the operation, track the development while resisting attempts to shake us off. This, together with the indiscriminate targeting and the tremendous scale of the operation with an impact on both civilians and diplomats around the world, makes an interesting case to study.
Adolf Středa is a Malware Researcher at Avast. He specializes in botnets, more specifically botnet communication analysis and information extraction. He is also a PhD student at the Faculty of Mathematics and Physics of the Charles University in Prague, Czech Republic, specializing in cryptography. So far, he has presented his research at SantaCrypt, AVAR, Botconf, and Virus Bulletin.
Luigino Camastra is a malware researcher at Avast focused on reverse-engineering PE files, identifying malware families, and hunting advanced persistent threat groups. He holds a master degree in Computer Science from Czech Technical University in Prague. Luigino has presented his research at Virus Bulletin conferences, Avar, Botconf, MNSEC2020, and APWG. In his free time he enjoys playing futsal and CTF.