Hackers based in China are conducting a spearphishing campaign, by delivering custom malware to government, research, and academic organizations all over the world. The cyberattacks have been led by a group called Mustang Panda, and they deliver the malware via Google Drive, according to Bleeping Computer.

Cyberattack Details

The Chinese hackers used messages that contain geopolitical subjects, with the majority of 84% directed at government or legal organizations. The hackers use Google accounts to send an email that contains the custom malware. They usually target countries like Australia, Japan, Taiwan, Myanmar, and the Philippines. 

Its embedded links appear to lead to Google Drive or Dropbox folders, which helps them get past security measures that flag suspicious content. Upon clicking the link, the receiver of the email will download compressed files in the form of RAR, ZIP, or JAR. The malware strains within the files are ToneShell, ToneIns, and PubLoad.

They also try to evade investigations by placing the real victim's email in the "CC" header, rather than the "To" header, which they fill out with a fake email. Usually, the malware side-loads an infected DLL, which occurs after an executable file from the archive is launched. A false document will be displayed as the malware runs in the background.

Among the three malware strains, PubLoad acts as a stager, which creates persistence in the system. This is done using registry keys and executing scheduled tasks, decrypting shellcode, and handling command and control communications. Mustang Panda has improved on the malware, having better anti-analysis mechanisms.

ToneIns functions as an installer, which launches ToneShell. The latter is the main backdoor used for the hack. Reports say that ToneIns uses obfuscation to work under the radar, while ToneShell spreads further into an already compromised system. This also goes for ToneShell, by using custom exception handlers.

Upon establishing a connection with the command and control communications, ToneShell will send a package to the hacker with the ID data of the victim. The commands will allow the upload, download, and execution of files. This makes intranet data exchange possible, which can change sleeping configuration among others. 

Read Also: Australian Government Agencies are Targeted by Chinese Hackers Using ScanBox Malware

Mustang Panda Targets

Many countries have already fallen victim to the hacker group. In early 2022, Mustang Panda used topics that relate to the European Union (EU) as a lure. It was said to contain a supposed EU report about state aid to Greece, spanning from 2022 to 2027. They also used a press release regarding the union's human rights priorities, as mentioned in Talos Intelligence.

The hackers took advantage of the conflict between Russia and Ukraine, using it as a lure to launch PlugX, which appeared as a report coming from the European Union's general secretary. They persisted with this angle, launching another one on February 28, and then again in March, with false claims regarding reports about the European borders.

Back in May 2016, it also set up campaigns targeting victims from the US. They used lures like the US Assistant Secretary of State visiting ASEAN countries in 2021. Mustang Panda also used other topics like Biden's attitude toward Myanmar's situation. Although instead of PlugX, they just used stagers as the final payload.

Related: Google Says Chinese Hacking Group is Targeting Russian Government Agencies