Chinese hacker Mustang Panda deploy new Hodur malware around

Mustang Panda group releases new variant of the malware with similar tricks from older threats

Mustang Panda linked to ongoing cyberespionage attacks with particular targets in East and Southeast Asia

China-based advanced persistent threat group Mustang Panda has been related to various cyberespionage attacks in recent years. Now threat actors release a new model of the Hodur malware that is resembling the previous creation Korplug or PlugX that was used since July 2021.^[1] Researchers^[2] report the new campaign and note that most of the victims are found in East and Southeast Asia.

Eset research team states that other victims located in Europe – Greece, Russia, Cyprus, and Africa. This cyber espionage^[3] campaign potentially dates back to August 2021 and was reportedly still active to this month. The hacker group is known for targeting particular government-related organizations and NGO groups. There are reports on particular victims and those include internet service providers and research entities.

The campaign uses the popularity of events in Ukraine, and the chain of compromise used the particular war in Ukraine, other events in Europe as the trick to spread the malware further. Custom loader with the execution file for Hodur – the new Korplug version got implemented here.

Special deployment and anti-analysis techniques

The latest campaign relies on the compromise chain using the ever-evolving stack of decoy documents. These pieces pertain to popular events and lure people. These hackers have already used COVID-19 as the trick and released a phishing campaign encouraging people to update travel restrictions and approve the regional aid map. It was related to Greece and a Regulation of the European Parliament.

The APT group that uses these methods is focusing on ongoing events and affairs to successfully get reactions to their emails and messages to carry out the further attack. Every stage of the malware deployment has anti-analysis methods implemented. As well as the control-flow obfuscation that is a different feature when compared to previous campaigns and attacks.^[4] Nevertheless, many similarities allow researchers to attribute the campaign with the advanced group Mustang Panda.

Code similarities and other attributing factors between the campaigns and malware

The malware deployed in the campaign has many features to the THOR variant, and researchers named it Hodur.^[5] Those include the use of the same keys, format for command and control servers, configurations, the use of static window class.

The infection is created with functions and abilities to run commands. Threat actors can enable the implant to collect extensive data about the system, read to write the arbitrary files, execute commands. The malware can launch remove cmd.exe session on the targeted system too.

The new campaign seems to have the same target verticals too. Most of the victims that this APT aims at are located in East and Southeast Asia. The vast majority of the targets are located in Mongolia in Vietnam, Myanmar. Mustang Panda even uses custom loaders and is known for creating these various versions of the Korplug malware. The slight change with the anti-analysis techniques, however, makes it more difficult for malware researchers to investigate these malware pieces.