Skip to content

G0129 Mustang Panda

Mustang Panda is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. Mustang Panda has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.412

Item Value
ID G0129
Associated Names TA416, RedDelta, BRONZE PRESIDENT
Version 2.0
Created 12 April 2021
Last Modified 11 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
TA416 5
RedDelta 36
BRONZE PRESIDENT 2

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains Mustang Panda have acquired C2 domains prior to operations.238
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Mustang Panda has communicated with its C2 via HTTP POST requests.1238
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.27
enterprise T1560.003 Archive via Custom Method Mustang Panda has encrypted documents with RC4 prior to exfiltration.7
enterprise T1119 Automated Collection Mustang Panda used custom batch scripts to collect files automatically from a targeted system.2
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Mustang Panda has created the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU to maintain persistence.5
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Mustang Panda has used malicious PowerShell scripts to enable execution.41
enterprise T1059.003 Windows Command Shell Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.17
enterprise T1059.005 Visual Basic Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.412
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Mustang Panda has stored collected credential files in c:\windows\temp prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.27
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Mustang Panda has encrypted C2 communications with RC4.3
enterprise T1585 Establish Accounts -
enterprise T1585.002 Email Accounts Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns.6
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription Mustang Panda‘s custom ORat tool uses a WMI event consumer to maintain persistence.2
enterprise T1052 Exfiltration Over Physical Medium -
enterprise T1052.001 Exfiltration over USB Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.7
enterprise T1203 Exploitation for Client Execution Mustang Panda has exploited CVE-2017-0199 in Microsoft Word to execute code.4
enterprise T1083 File and Directory Discovery Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.7
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Mustang Panda‘s PlugX variant has created a hidden folder on USB drives named RECYCLE.BIN to store malicious executables and collected data.7
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.135
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Mustang Panda will delete their tools and files, and kill processes after their objectives are reached.2
enterprise T1105 Ingress Tool Transfer Mustang Panda has downloaded additional executables following the initial infection stage.3
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Mustang Panda has used names like adobeupdate.dat and PotPlayerDB.dat to disguise PlugX, and a file named OneDrive.exe to load a Cobalt Strike payload.3
enterprise T1036.007 Double File Extension Mustang Panda has used an additional filename extension to hide the true file type.41
enterprise T1027 Obfuscated Files or Information Mustang Panda has delivered initial payloads hidden using archives and encoding measures.412356
enterprise T1027.001 Binary Padding Mustang Panda has used junk code within their DLL files to hinder analysis.7
enterprise T1003 OS Credential Dumping -
enterprise T1003.003 NTDS Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used reg save on the SYSTEM file Registry location to help extract the NTDS.dit file.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Mustang Panda has used spearphishing attachments to deliver initial access payloads.359
enterprise T1566.002 Spearphishing Link Mustang Panda has delivered web bugs and malicious links to their intended targets.86
enterprise T1057 Process Discovery Mustang Panda has used tasklist /v to determine active process information.7
enterprise T1219 Remote Access Software Mustang Panda has installed TeamViewer on targeted systems.2
enterprise T1091 Replication Through Removable Media Mustang Panda has used a customized PlugX variant which could spread through USB connections.7
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Mustang Panda has created a scheduled task to execute additional malicious software, as well as maintain persistence.128
enterprise T1518 Software Discovery Mustang Panda has searched the victim system for the InstallUtil.exe program and its version.1
enterprise T1608 Stage Capabilities Mustang Panda has used servers under their control to validate tracking pixels sent to phishing victims.6
enterprise T1608.001 Upload Malware Mustang Panda has hosted malicious payloads on DropBox including PlugX.6
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.004 InstallUtil Mustang Panda has used InstallUtil.exe to execute a malicious Beacon stager.1
enterprise T1218.005 Mshta Mustang Panda has used mshta.exe to launch collection scripts.2
enterprise T1082 System Information Discovery Mustang Panda has gathered system information using systeminfo.7
enterprise T1016 System Network Configuration Discovery Mustang Panda has used ipconfig and arp to determine network configuration information.7
enterprise T1049 System Network Connections Discovery Mustang Panda has used netstat -ano to determine network connection information.7
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.486
enterprise T1204.002 Malicious File Mustang Panda has sent malicious files requiring direct victim interaction to execute.417396
enterprise T1102 Web Service Mustang Panda has used DropBox URLs to deliver variants of PlugX.6
enterprise T1047 Windows Management Instrumentation Mustang Panda has executed PowerShell scripts via WMI.12

Software

ID Name References Techniques
S0154 Cobalt Strike 41238 Bypass User Account Control:Abuse Elevation Control Mechanism Sudo and Sudo Caching:Abuse Elevation Control Mechanism Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Domain Account:Account Discovery Application Layer Protocol DNS:Application Layer Protocol Web Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking Python:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Multiband Communication Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services Remote Desktop Protocol:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services SSH:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0590 NBTscan - Network Service Discovery Network Sniffing Remote System Discovery System Network Configuration Discovery System Owner/User Discovery
S0013 PlugX - DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Search Order Hijacking:Hijack Execution Flow DLL Side-Loading:Hijack Execution Flow Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Multiband Communication Native API Network Share Discovery Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Query Registry Screen Capture System Network Connections Discovery MSBuild:Trusted Developer Utilities Proxy Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0012 PoisonIvy - Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Active Setup:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit
S0662 RCSession - Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data from Local System Encrypted Channel DLL Side-Loading:Hijack Execution Flow File Deletion:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Masquerading Modify Registry Native API Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Process Hollowing:Process Injection Screen Capture Msiexec:System Binary Proxy Execution System Information Discovery System Owner/User Discovery

References

Back to top