Mustang Panda, an advanced persistent threat (APT) from China, has been connected to an ongoing cyberespionage campaign using compromised workstations running a previously unreported variation of the PlugX remote access trojan. Slovak cybersecurity firm ESET termed the current version ‘Hodur’ because of its similarities to another PlugX (aka Korplug) variation THOR that surfaced in July 2021.
“Most victims are located in East and Southeast Asia, but a few are in Europe (Greece, Cyprus, Russia) and Africa (South Africa, South Sudan),” ESET malware researcher Alexandre Côté Cyr said. “Known victims include research entities, internet service providers (ISPs), and European diplomatic missions mostly located in East and Southeast Asia.”
Mustang Panda, aka TA416, HoneyMyte, RedDelta, or PKPLUG, is a cyber espionage gang with an emphasis on Mongolian non-governmental organizations. The most recent effort, which dates back to August 2021, relies on a compromised chain that includes an ever-evolving stack of fake papers related to current events in Europe and the Ukraine crisis.
According to ESET, other phishing lures include revised COVID-19 travel limitations, a regional aid map for Greece that has been authorized, and a Regulation of the European Parliament and Council. The ultimate bait is a genuine paper that can be seen on the European Council’s website. The APT group behind this effort is aware of current events and can effectively and quickly respond to them. Regardless of the phishing bait used, the infections end with the implementation of the Hodur backdoor on the infected Windows host.
On the other hand, Hodur can handle a wide range of instructions, allowing it to collect essential system data, read and write arbitrary files, run commands, and create a remote cmd.exe session. ESET’s findings coincide with this month’s public revelations from Google’s Threat Analysis Group (TAG) and Proofpoint, which documented a Mustang Panda attempt to spread an upgraded PlugX variant.