Skip links

China APT group using Russia invasion, COVID-19 in phishing attacks

A China-based threat group is likely running a month-long campaign using a variant of the Korplug malware and targeting European diplomats, internet service providers (ISPs) and research institutions via phishing lures that refer to Russia’s invasion of Ukraine and COVID-19 travel restrictions.

The ongoing campaign was first seen in August 2021 and is being tied to Mustang Panda – a Chinese APT unit also known as TA416, RedDelta and PKPLUG – due to similar code and common tactics, techniques and procedures used by the group in the past, according to researchers with the cybersecurity firm ESET.

Mustang Panda is known for targeting governmental entities and non-governmental organizations (NGOs), with most of its victims being in East and Southeast Asia.

It also was responsible for a campaign in 2020 that targeted the Vatican, ESET researchers wrote in a blog post this month. In the most recent campaign, Mustang Panda was using a Korplug variant it is calling “Hodur,” which resembles another variant uncovered by Palo Alto Network’s Unit 42 threat intelligence unit that was dubbed “Thor.”

In Norse mythology, Hodur is Thor’s blind half-brother, tricked by the god Loki into killing their half-brother Baldr.

The decoy documents used as phishing lures by Mustang Panda for Hodur not only refer to current events occurring in Europe but also are frequently updated, the researchers wrote. More than 3 million people have fled Ukraine to neighboring borders to escape the violence and one of the file names used in fraudulent document refers to the “situation at the EU borders with Ukraine.”

In another decoy, it refers to a real document on the European Council’s website, showing that the advanced persistent threat (APT) group “is following current affairs and is able to successfully and swiftly react to them,” ESET wrote.

Entities in eight countries have been targeted in the Hodur campaign: Greece, Russia, Cyprus, Vietnam, Myanmar, South Africa, South Sudan and Mongolia, a frequent target of Mustang Panda.

“While we haven’t been able to identify the verticals of all victims, this campaign seems to have the same targeting objectives as other Mustang Panda campaigns,” the researchers wrote. “Following the APT’s typical victimology, most victims are located in East and Southeast Asia, along with some in European and African countries. According to ESET telemetry, the vast majority of targets are located in Mongolia and Vietnam, followed by Myanmar, with only a few in the other affected countries.”

Researchers with cybersecurity firm Proofpoint referred to the same campaign in a report earlier this month, noting the campaign by the threat group – which they call TA146 – is part of a larger trend among cybercriminals to profit off the fallout from Russia’s war against Ukraine.

The threat group often uses custom loaders for shared malware – such as Cobalt Strike, Poison Ivy and Korplug – in its campaigns. In the past it has also created its own Korplug variants. Mustang Panda also uses techniques designed to thwart analysis and obfuscate how the malware works.

Kroplug remote access trojan (RAT) and variants have been around for about a decade and were used by a number of Chinese threat groups. ESET researchers said that despite the new Hodur variant and custom loaders, Mustang Panda is still leveraging DLL side-loading to evade detection. At the same time, the group is using even more anti-analysis techniques and obfuscation throughout the attack process.

The decoy documents are designed to entice victims to open them. Doing so opens the pathway for a malicious file, an encrypted Korplug file and an executable to land in the targeted system. The Korplug Hodur variant creates a backdoor and messages back to a command-and-control (C2) server for orders.

“Korplug (also known as PlugX) is a RAT used by multiple APT groups,” ESET researchers wrote. “In spite of it being so widely used, or perhaps because of it, few reports extensively describe its commands and the data it exfiltrates. Its functionality is not constant between variants, but there does seem to exist a significant overlap in the list of commands between the version we analyzed and other sources.”

The researchers expect Mustang Panda to continue to evolve its operations, noting how quickly it can react to current events, such as an EU regulation regarding COVID-19 that was used as a decoy two weeks after it came out. ESET wrote that “this group also demonstrates an ability to iteratively improve its tools, including its signature use of trident downloaders to deploy Korplug.” ®