Mustang Panda Strikes: Cyber Intrusions Target Myanmar’s Core Ministries

In November 2023 and January 2024, Myanmar’s Ministry of Defense and Ministry of Foreign Affairs were targeted by cyberattacks, presumably orchestrated by the Chinese hacker collective known as Mustang Panda. This information was disclosed by the CSIRT-CTI team following their analysis of artifacts associated with the attacks that were uploaded to the VirusTotal platform.

The hackers primarily exploited legitimate software, including a binary file developed by the engineering firm Bernecker & Rainer (B&R) and a Windows 10 Update Assistant component, to download malicious DLL libraries.

Overview of PUBLOAD malware events | Image: CSIRT-CTI

Active since 2012, Mustang Panda (also referred to as Stately Taurus, Camaro Dragon, Bronze President) has recently been attributed with attacks aimed at Southeast Asian governments and the Philippines. Their objective: is to implant backdoors for harvesting sensitive information.

The initial assault in November 2023 began with a phishing email containing a ZIP archive attachment. This archive included a legitimate executable file (Analysis of the third meeting of NDSC.exe), initially certified by B&R Industrial Automation GmbH, and a DLL file (BrMod104.dll).

This attack exploited a vulnerability known as DLL Search Order Hijacking to load a malicious DLL, subsequently establishing persistence and communication with a Command and Control (C2) server, before deploying the PUBLOAD backdoor. This, in turn, functions as a specialized loader for delivering the PlugX implant.

The attackers attempted to disguise C2 traffic as Microsoft update activity, appending headers “Host: www[.]asia[.]microsoft[.]com” and “User-Agent: Windows-Update-Agent”.

A subsequent attack in January utilized an optical disc image (ASEAN Notes.iso) containing LNK shortcuts to initiate a multi-stage process. This process used another specialized loader, TONESHELL, for the potential installation of PlugX from an already inaccessible C2 server, as experts have speculated.

Following rebel attacks in northern Myanmar in October 2023, China expressed concerns over the impact of these events on trade routes and security along the Myanmar-China border. Stately Taurus operations are known to align with the geopolitical interests of the Chinese government, including numerous espionage campaigns against Myanmar.