| enterprise |
T1583 |
Acquire Infrastructure |
- |
| enterprise |
T1583.001 |
Domains |
Mustang Panda registered adversary-controlled domains during RedDelta Modified PlugX Infection Chain Operations that were re-registrations of expired domains. |
| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.001 |
Web Protocols |
Mustang Panda used HTTP POST messages for command and control from PlugX installations during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1547 |
Boot or Logon Autostart Execution |
- |
| enterprise |
T1547.001 |
Registry Run Keys / Startup Folder |
Mustang Panda used Run registry keys with names such as OneNote Update to execute legitimate executables that would load through search-order hijacking malicious DLLS to ensure persistence during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.001 |
PowerShell |
Mustang Panda used LNK files to execute PowerShell commands leading to eventual PlugX installation during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1480 |
Execution Guardrails |
Mustang Panda included the use of Cloudflare geofencing mechanisms to limit payload download activity during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1203 |
Exploitation for Client Execution |
Mustang Panda used the GrimResource exploitation technique via specially crafted MSC files for arbitrary code execution during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1564 |
Hide Artifacts |
- |
| enterprise |
T1564.001 |
Hidden Files and Directories |
Mustang Panda stored encrypted payloads associated with PlugX installation in hidden directories during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1574 |
Hijack Execution Flow |
- |
| enterprise |
T1574.001 |
DLL |
Mustang Panda used DLL search order hijacking on vulnerable applications to install PlugX payloads during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.004 |
Masquerade Task or Service |
Mustang Panda masqueraded Registry run keys as legitimate-looking service names such as OneNote Update during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1095 |
Non-Application Layer Protocol |
Mustang Panda communicated over TCP 5000 from adversary administrative servers to adversary command and control nodes during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1027 |
Obfuscated Files or Information |
- |
| enterprise |
T1027.013 |
Encrypted/Encoded File |
Mustang Panda stored installation payloads as encrypted files in hidden folders during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1588 |
Obtain Capabilities |
- |
| enterprise |
T1588.004 |
Digital Certificates |
Mustang Panda acquired Cloudflare Origin CA TLS certificates during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1566 |
Phishing |
- |
| enterprise |
T1566.001 |
Spearphishing Attachment |
Mustang Panda leveraged malicious attachments in spearphishing emails for initial access to victim environments in RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1566.002 |
Spearphishing Link |
Mustang Panda distributed malicious links in phishing emails leading to HTML files that would direct the victim to malicious MSC files if running Windows based on User Agent fingerprinting during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1090 |
Proxy |
Mustang Panda proxied communication through the Cloudflare CDN service during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1608 |
Stage Capabilities |
- |
| enterprise |
T1608.001 |
Upload Malware |
Mustang Panda staged malware on adversary-controlled domains and cloud storage instances during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1553 |
Subvert Trust Controls |
- |
| enterprise |
T1553.002 |
Code Signing |
Mustang Panda used legitimate, signed binaries such as inkform.exe or ExcelRepairToolboxLauncher.exe for follow-on execution of malicious DLLs through DLL search order hijacking in RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1218 |
System Binary Proxy Execution |
- |
| enterprise |
T1218.007 |
Msiexec |
Mustang Panda initial payloads downloaded a Windows Installer MSI file that in turn dropped follow-on files leading to installation of PlugX during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1218.014 |
MMC |
Mustang Panda used Microsoft Management Console Snap-In Control files, or MSC files, executed via MMC to run follow-on PowerShell commands during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1082 |
System Information Discovery |
Mustang Panda captured victim operating system type via User Agent analysis during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1204 |
User Execution |
- |
| enterprise |
T1204.001 |
Malicious Link |
Mustang Panda distributed hyperlinks that would result in an MSC file running a PowerShell command to download and install a remotely-hosted MSI file during RedDelta Modified PlugX Infection Chain Operations. |
| enterprise |
T1204.002 |
Malicious File |
Mustang Panda distributed malicious LNK objects for user execution during RedDelta Modified PlugX Infection Chain Operations. |