Recently, two APT groups associated with China are actively attacking objects and countries that have relations to the Association of Southeast Asia states (ASEAN). They act as part of the cyberspion campaign, which lasts no less than three months. One of the groups, known as Mustang Panda, was seen in cyber attacks against Myanmar and other Asian countries, using the malicious Plugx, called Doplugs.
Mustang Panda, also monitored by names such as Camaro Dragon, Earth Preta, and Statly Taurus, sent phishing letters to disseminate malicious programs in Myanmar, Philippines, Japan, and Singapore. These actions coincided with the special ASEAN-Australia summit, which indicates the purposefulness of the data of attacks.
Analysts Palo Alto Networks reported about the two types of malware distributed. The first is the ZIP file containing the executable file “Talking_points_For_china.exe”, which at launch loads the malicious library “Keyscramblerie.dll,” ultimately activating the Pubload virus, often used by Mustang Panda hackers.
The second malicious software is the Note PSO.SCR file, which extracts malicious code from a remote address, including a program with a certified signature of one of the large video games manufactured by Windowsupdate.exe.
In addition, network traffic was found between the object related to ASEAN and the infrastructure of the control of the second Chinese APT group, indicating possible penetration into the system. This group, which also attacked Cambodia, is still unconscious by researchers.
Chinese cybercriminals have recently acted as ever actively and sophisticated. Thus, the new Chinese actor cybehrrosis called Earth Krahang, who recently attacked 116 objects in 45 countries, attracts special attention. From their attacks, the group used targeted phishing and vulnerabilities in Openfire and Oracle servers to deliver specialized malicious software, such as Plugx, Shadowpad, Reshell, and Dinodasrat.
The activity of this group demonstrates a strong orientation towards Southeast Asia and cross interaction with another actor known as Earth Lusca, both of which can be controlled by the same person associated with the I-Soon Chinese contractor.