Skip to content

G0129 Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.412

Item Value
ID G0129
Associated Names TA416, RedDelta, BRONZE PRESIDENT
Version 2.1
Created 12 April 2021
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
TA416 5
RedDelta 36
BRONZE PRESIDENT 2

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Mustang Panda have acquired C2 domains prior to operations.238
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Mustang Panda has communicated with its C2 via HTTP POST requests.1238
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.27
enterprise T1560.003 Archive via Custom Method Mustang Panda has encrypted documents with RC4 prior to exfiltration.7
enterprise T1119 Automated Collection Mustang Panda used custom batch scripts to collect files automatically from a targeted system.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Mustang Panda has created the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU to maintain persistence.5
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Mustang Panda has used malicious PowerShell scripts to enable execution.41
enterprise T1059.003 Windows Command Shell Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.17
enterprise T1059.005 Visual Basic Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.412
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Mustang Panda has stored collected credential files in c:\windows\temp prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.27
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Mustang Panda has encrypted C2 communications with RC4.3
enterprise T1585 Establish Accounts -
enterprise T1585.002 Email Accounts Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.6
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription Mustang Panda‘s custom ORat tool uses a WMI event consumer to maintain persistence.2
enterprise T1052 Exfiltration Over Physical Medium -
enterprise T1052.001 Exfiltration over USB Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.7
enterprise T1203 Exploitation for Client Execution Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code.4
enterprise T1083 File and Directory Discovery Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.7
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Mustang Panda‘s PlugX variant has created a hidden folder on USB drives named RECYCLE.BIN to store malicious executables and collected data.7
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.135
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.2
enterprise T1105 Ingress Tool Transfer Mustang Panda has downloaded additional executables following the initial infection stage.3
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Mustang Panda has used names like adobeupdate.dat and PotPlayerDB.dat to disguise PlugX, and a file named OneDrive.exe to load a Cobalt Strike payload.3
enterprise T1036.007 Double File Extension Mustang Panda has used an additional filename extension to hide the true file type.41
enterprise T1027 Obfuscated Files or Information Mustang Panda has delivered initial payloads hidden using archives and encoding measures.412356
enterprise T1027.001 Binary Padding Mustang Panda has used junk code within their DLL files to hinder analysis.7
enterprise T1003 OS Credential Dumping -
enterprise T1003.003 NTDS Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used reg save on the SYSTEM file Registry location to help extract the NTDS.dit file.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Mustang Panda has used spearphishing attachments to deliver initial access payloads.359
enterprise T1566.002 Spearphishing Link Mustang Panda has delivered malicious links to their intended targets.8
enterprise T1598 Phishing for Information -
enterprise T1598.003 Spearphishing Link Mustang Panda has delivered web bugs to profile their intended targets.6
enterprise T1057 Process Discovery Mustang Panda has used tasklist /v to determine active process information.7
enterprise T1219 Remote Access Software Mustang Panda has installed TeamViewer on targeted systems.2
enterprise T1091 Replication Through Removable Media Mustang Panda has used a customized PlugX variant which could spread through USB connections.7
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.128
enterprise T1518 Software Discovery Mustang Panda has searched the victim system for the InstallUtil.exe program and its version.1
enterprise T1608 Stage Capabilities Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims.6
enterprise T1608.001 Upload Malware Mustang Panda has hosted malicious payloads on DropBox including PlugX.6
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.004 InstallUtil Mustang Panda has used InstallUtil.exe to execute a malicious Beacon stager.1
enterprise T1218.005 Mshta Mustang Panda has used mshta.exe to launch collection scripts.2
enterprise T1082 System Information Discovery Mustang Panda has gathered system information using systeminfo.7
enterprise T1016 System Network Configuration Discovery Mustang Panda has used ipconfig and arp to determine network configuration information.7
enterprise T1049 System Network Connections Discovery Mustang Panda has used netstat -ano to determine network connection information.7
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.486
enterprise T1204.002 Malicious File Mustang Panda has sent malicious files requiring direct victim interaction to execute.417396
enterprise T1102 Web Service Mustang Panda has used DropBox URLs to deliver variants of PlugX.6
enterprise T1047 Windows Management Instrumentation Mustang Panda has executed PowerShell scripts via WMI.12

Software

ID Name References Techniques
S0154 Cobalt Strike 41238 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0590 NBTscan 2 Network Service Discovery Network Sniffing Remote System Discovery System Network Configuration Discovery System Owner/User Discovery
S0013 PlugX 412736 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Side-Loading:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Query Registry Screen Capture System Network Connections Discovery MSBuild:Trusted Developer Utilities Proxy Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0012 PoisonIvy 43 Application Window Discovery Active Setup:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit
S0662 RCSession 2 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data from Local System Encrypted Channel DLL Side-Loading:Hijack Execution Flow File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Masquerading Modify Registry Native API Non-Application Layer Protocol Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Process Discovery Process Hollowing:Process Injection Screen Capture Msiexec:System Binary Proxy Execution System Information Discovery System Owner/User Discovery

References

  1. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. 

  2. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  3. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021. 

  4. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021. 

  5. Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021. 

  6. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. 

  7. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. 

  8. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021. 

  9. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.