In the Cyber Jungle, the Mighty Mustang Panda Phishes Tonight

A mischievous threat actor known as Mustang Panda prowls silently through the cyber underbrush, orchestrating sophisticated spear-phishing campaigns. Read More

This elusive entity has earned a notorious reputation for its cunning tactics and relentless pursuit of sensitive information. Join us as we delve into the world of Mustang Panda, exploring its origins, modus operandi, the impact of its spear-phishing endeavors, and how you can guard against it.

In the jungle, the cyber jungle,Mustang Panda schemes tonight.In the jungle, the cyber jungle,Mustang Panda phishes tonight.

Near the server, the peaceful server,Mustang Panda strikes tonight.Near the server, the quiet server,Mustang Panda hacks tonight.

Hush, dear user, don’t click, dear user,Mustang Panda prowls tonight.Hush, dear user, stay sharp, dear user,Mustang Panda prowls tonight.

The Prowess of Mustang Panda

Since March 2022, this elusive threat actor has targeted government and education sectors, employing a sophisticated arsenal that includes the use of fake Google accounts, malware distribution via attachments, and the deployment of custom malware families TONEINS and TONESHELL.

The orchestrated attack begins with the deployment of a malicious ZIP file housing a legitimate executable and the TONEINS loader. The legitimate executable serves as a means for DLL Side-Loading, facilitating the injection of the TONEINS payload. The persistence of the attack is ensured through a scheduled task cryptically named “ServiceHub.TestWindowStoreHost.”

As the attack progresses, a second legitimate executable and the TONESHELL backdoor come into play, executed in a manner similar to TONEINS. The second stage unfolds with an environment discovery phase, culminating in the exfiltration of collected data—a critical juncture where the true extent of Mustang Panda’s intrusion becomes evident.

Defending Against the Menace: AttackIQ Flex

In the face of such persistent threats, organizations need robust defense mechanisms. AttackIQ Flex, an on-demand, agentless test-as-a-service platform designed to emulate adversary behavior is available to you. Want a simplified user experience, delivering detailed security control performance metrics and mitigation strategies within minutes? Try AttackIQ Flex for free!

Scenarios Included in AttackIQ Flex Package:

  • Get OS Serial Number Using WMI
  • System Owner/User Discovery Script
  • Save 2018-04 – Mustang Panda’s Legitimate First-stage Executable Sample to File System
  • Persistence Through Scheduled Task
  • Save 2016-09 – Mustang Panda’s Legitimate Second-stage Executable Sample to File System
  • Save 2022-11 – TONEINS (libcef.dll) Sample to File System
  • Download 2022-05 Mustang Panda’s Malicious ZIP Sample to Memory
  • Save 2022-11 – TONESHELL (TenioDL_core.dll) to File System
  • DLL Side-Loading
  • System Information Discovery Script
  • Save 2022-05 Mustang Panda’s Malicious ZIP Sample to File System
  • Mustang Panda TONESHELL Initial HTTP Command and Control POST Request
  • Process Discovery Through Tasklist

Testing Your Defenses

Are you ready to test your defenses against the likes of Mustang Panda? Try AttackIQ Flex for free now. Additionally, check out our Adversary Research Team (ART) in-depth attack graph blog that delves into the intricacies of defending against Mustang Panda.

Understanding and countering the threat posed by Mustang Panda requires a multi-faceted approach. By staying informed, leveraging AttackIQ Flex, and regularly testing your defenses, you can keep your organization safe.