A China-linked risk actor referred to as Mustang Panda has been attributed to a brand new cyber espionage marketing campaign directed towards the Tibetan group.
The spear-phishing assaults leveraged matters associated to Tibet, such because the ninth World Parliamentarians’ Conference on Tibet (WPCT), China’s schooling coverage within the Tibet Autonomous Area (TAR), and a not too long ago revealed guide by the 14th Dalai Lama, in accordance to IBM X-Drive.
The cybersecurity division of the know-how firm mentioned it noticed the marketing campaign earlier this month, with the assaults resulting in the deployment of a recognized Mustang Panda malware referred to as PUBLOAD. It is monitoring the risk actor beneath the title Hive0154.
The assault chains make use of Tibet-themed lures to distribute a malicious archive containing a benign Microsoft Phrase file, together with articles reproduced by Tibetan web sites and photographs from WPCT, into opening an executable that is disguised as a doc.
The executable, as noticed in prior Mustang Panda assaults, leverages DLL side-loading to launch a malicious DLL dubbed Claimloader that is then used to deploy PUBLOAD, a downloader malware that is chargeable for contacting a distant server and fetching a next-stage payload dubbed Pubshell.
Pubshell is a “lightweight backdoor facilitating rapid entry to the machine by way of a reverse shell,” safety researchers Golo Mühr and Joshua Chung mentioned in an evaluation revealed this week.
At this stage, it is value mentioning a few of the nomenclature variations: IBM has given the title Claimloader to the customized stager first documented by Cisco Talos in Might 2022 and PUBLOAD to the first-stage shellcode downloader, whereas Development Micro identifies each the stager and the downloader as PUBLOAD. Group T5, equally, tracks the 2 elements collectively as NoFive.
The event comes weeks after IBM’s exercise which it mentioned is the work of a Hive0154 sub-cluster concentrating on america, Philippines, Pakistan, and Taiwan from late 2024 to early 2025.
This exercise, like within the case of these concentrating on Tibet, makes use of weaponized archives originating from spear-phishing emails to focus on authorities, navy, and diplomatic entities.
The digital missives include hyperlinks to Google Drive URLs that obtain the booby-trapped ZIP or RAR archives upon clicking, in the end ensuing within the deployment of TONESHELL in 2024 and PUBLOAD beginning this yr by way of Claimloader.
TONESHELL, one other oft-used Mustang Panda malware, capabilities equally to Pubshell in that it is also used to create a reverse shell and execute instructions on the compromised host.
“The Pubshell implementation of the reverse shell by way of nameless pipes is sort of equivalent to TONESHELL,” the researchers mentioned. “Nevertheless, as an alternative of working a brand new thread to instantly return any outcomes, Pubshell requires a further command to return command outcomes. It additionally solely helps working ‘cmd.exe’ as a shell.”
“In a number of methods, PUBLOAD and Pubshell look like an independently developed ‘lite model’ of TONESHELL, with much less sophistication and clear code overlaps.”
The assaults focused Taiwan have been characterised by way of a USB worm referred to as HIUPAN (aka MISTCLOAK or U2DiskWatch), which is then leveraged to unfold Claimloader and PUBLOAD by way of USB units.
“Hive0154 stays a extremely succesful risk actor with a number of energetic sub-clusters and frequent improvement cycles,” the researchers mentioned.
“China-aligned teams like Hive0154 will proceed to refine their massive malware arsenal and retain a give attention to East Asia-based organizations within the personal and public sectors. Their big range of tooling, frequent improvement cycles, and USB worm-based malware distribution highlights them as a classy risk actor.”
