Mustang Panda’s Hodur: Previous methods, new Korplug variant

ESET researchers have found Hodur, a beforehand undocumented Korplug variant unfold by Mustang Panda, that makes use of phishing lures referencing present occasions in Europe, together with the invasion of Ukraine

ESET researchers found a still-ongoing marketing campaign utilizing a beforehand undocumented Korplug variant, which they named Hodur because of its resemblance to the THOR variant beforehand documented by Unit 42 in 2020. In Norse mythology, Hodur is Thor’s blind half-brother, who’s tricked by Loki into killing their half-brother Baldr.

Key findings on this blogpost:

  • As of March 2022, this marketing campaign continues to be ongoing and goes again to no less than August 2021.
  • Recognized victims embrace analysis entities, web service suppliers, and European diplomatic missions.
  • The compromise chain contains decoy paperwork which might be regularly up to date and relate to occasions in Europe.
  • The marketing campaign makes use of a customized loader to execute a brand new Korplug variant.
  • Each stage of the deployment course of makes use of anti-analysis methods and control-flow obfuscation, which units it aside from different campaigns.
  • ESET researchers present an in-depth evaluation of the capabilities and instructions of this new variant.

Victims of this marketing campaign are probably lured with phishing paperwork abusing the newest occasions in Europe reminiscent of Russia’s invasion of Ukraine. This resulted in additional than three million residents fleeing the battle to neighboring nations, resulting in an unprecedented disaster on Ukraine’s borders. One of many filenames associated to this marketing campaign is State of affairs on the EU borders with Ukraine.exe.

Different phishing lures point out up to date COVID-19 journey restrictions, an authorized regional assist map for Greece, and a Regulation of the European Parliament and of the Council. The final one is an actual doc out there on the European Council’s web site. This reveals that the APT group behind this marketing campaign is following present affairs and is ready to efficiently and swiftly react to them.

Determine 1. Nations affected by Mustang Panda on this marketing campaign

Affected nations:

  • Mongolia
  • Vietnam
  • Myanmar
  • Greece
  • Russia
  • Cyprus
  • South Sudan
  • South Africa

Affected verticals:

  • Diplomatic missions
  • Analysis entities
  • Web service suppliers (ISP)


Based mostly on code similarities and the numerous commonalities in Techniques, Strategies, and Procedures (TTPs), ESET researchers attribute this marketing campaign with excessive confidence to Mustang Panda (often known as TA416, RedDelta, or PKPLUG). It’s a cyberespionage group primarily focusing on governmental entities and NGOs. Its victims are largely, however not completely, positioned in East and Southeast Asia with a concentrate on Mongolia. The group can be identified for its campaign targeting the Vatican in 2020.

Whereas we haven’t been capable of establish the verticals of all victims, this marketing campaign appears to have the identical focusing on goals as different Mustang Panda campaigns. Following the APT’s typical victimology, most victims are positioned in East and Southeast Asia, together with some in European and African nations. Based on ESET telemetry, the overwhelming majority of targets are positioned in Mongolia and Vietnam, adopted by Myanmar, with only some within the different affected nations.

Mustang Panda’s campaigns regularly use customized loaders for shared malware together with Cobalt Strike, Poison Ivy, and Korplug (often known as PlugX). The group has additionally been identified to create its personal Korplug variants. In comparison with different campaigns utilizing Korplug, each stage of the deployment course of makes use of anti-analysis methods and control-flow obfuscation.

This blogpost accommodates an in depth evaluation of this beforehand unseen Korplug variant used on this marketing campaign. This exercise is a part of the identical marketing campaign recently covered by Proofpoint, however we offer extra historic and focusing on info.


Mustang Panda is thought for its elaborate customized loaders and Korplug variants, and the samples used on this marketing campaign showcase this completely.

Compromise chains seen on this marketing campaign observe the standard Korplug sample: a respectable, validly signed, executable susceptible to DLL search-order hijacking, a malicious DLL, and an encrypted Korplug file are deployed on the goal machine. The executable is abused to load the module, which then decrypts and executes the Korplug RAT. In some circumstances, a downloader is used first to deploy these recordsdata together with a decoy doc. This course of is illustrated in Determine 2.

Determine 2. Overview of the deployment course of for the Hodur Korplug variant.

What units this marketing campaign aside is the heavy use of control-flow obfuscation and anti-analysis methods at each stage of the deployment course of. The next sections describe the conduct of every stage and take a deeper have a look at the protection evasion methods utilized in every of them.

Preliminary entry

We haven’t been capable of observe the preliminary deployment vector, however our evaluation factors to phishing and watering gap assaults as probably vectors. In cases the place we noticed a downloader, the filenames used counsel a doc with an fascinating topic for the goal. Such examples embrace:

  • COVID-19 journey restrictions EU opinions record of third nations.exe
  • State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.exe
  • State of affairs on the EU borders with Ukraine.exe

To additional the phantasm, these binaries obtain and open a doc that has the identical title however with a .doc or .pdf extension. The contents of those decoys precisely mirror the filename. As proven in Determine 3, no less than considered one of them is a publicly accessible respectable doc from the European Parliament.

Determine 3. First web page of the decoy doc for the REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL.exe downloader. It’s an actual doc out there on the European Council’s web site.


Though its complexity has elevated over the course of the marketing campaign, the downloader is pretty simple. This enhance in complexity comes from extra anti-analysis methods, which we cowl later on this part.

It first downloads 4 recordsdata over HTTPS: a decoy doc, a respectable executable, a malicious module and an encrypted Korplug file. The mixture of these final three parts to execute a payload by way of DLL side-loading is typically known as a trident and is a way generally utilized by Mustang Panda, and with Korplug loaders generally. Each the server addresses and file paths are hardcoded within the downloader executable. As soon as every little thing is downloaded, and the decoy doc opened to distract the sufferer, the downloader makes use of the next command line to launch the respectable executable:

cmd /c ping -n 70&&”%temp%<respectable executable>”

This ping command each checks web connectivity and introduces a delay (by way of the -n 70 possibility) earlier than executing the downloaded, respectable executable.

The downloader makes use of a number of anti-analysis methods, a lot of that are additionally used within the loader and last payload. Further obfuscation has been added to new variations over the course of the marketing campaign with out in any other case altering their objective.

In early variations of the downloader, junk code and opaque predicates have been used to hinder evaluation, as proven in Determine 4, however the server and filenames are plainly seen in cleartext.

Determine 4. Management circulate obfuscation in early variations of the downloader

In later variations, the recordsdata on the server are RC4 encrypted, utilizing the bottom 10 string illustration of the file measurement as the important thing, after which hex-encoded. This course of is illustrated within the Python snippet beneath. The other operations are carried out client-side by the downloader to get well the plaintext recordsdata. That is probably completed to bypass network-level protections.

from Crypto.cipher import ARC4
key = “%d” % len(plaintext)
rc4 =
cipher_content = rc4.encrypt(plaintext).hex().higher()

These variations change the usage of cleartext strings with encrypted stack strings. They’re nonetheless hardcoded within the file, however the obfuscation surrounding them, and the usage of totally different keys, makes it onerous to decrypt them statically in an automatic method. This identical method is used closely within the subsequent levels. Encrypted stack strings are additionally used to obfuscate calls to Home windows API features.

First, the title of the goal perform is decrypted and handed to a perform. This perform obtains a pointer to the InMemoryOrderModuleList subject of the PEB (Process Environment Block). It then iterates over the loaded modules, passing every deal with to GetProcAddress together with the perform title till the goal perform is efficiently resolved. A part of this course of will be seen in Determine 5.

Determine 5. Obfuscation of Home windows API calls within the downloader. The screenshot reveals a name to WriteFile, however the identical sample is used for all API features.


As is widespread with Korplug, the loader is a DLL that exploits a side-loading vulnerability in a respectable, signed executable. We now have noticed many various purposes being abused on this marketing campaign, for example a susceptible SmadAV executable beforehand seen by Qurium in a campaign attributed to Mustang Panda that focused Myanmar.

The loader exports a number of features. The precise record varies relying on the abused utility, however in all circumstances, solely considered one of them does something of consequence. In all the loaders we noticed, that is the exported perform with the very best load handle. All the opposite exports, and the library’s entry level, both return instantly or execute some do-nothing junk code. Many of those exports have names that include random lowercase letters and level to the identical handle as proven in Desk 1.

Desk 1. Features exported by a Hodur loader. The createSystemFontsUsingEDL export is the one which masses the ultimate malware stage on this model.

TitleOrdinalOperate RVA

The loader perform obtains the listing from which the DLL is operating utilizing GetModuleFileNameA and tries to open the encrypted Korplug file it accommodates. That filename is hardcoded within the loader. It reads the file’s contents right into a domestically allotted buffer and decrypts it. The loader makes this buffer executable utilizing VirtualProtect earlier than calling into it at offset 0x00.

Home windows API perform calls are obfuscated with a distinct method than that used within the downloader. Not like the loader, which accommodates the names of its features (as proven in Desk 1 above), solely the 64-bit hashes of the Home windows API perform calls are current within the binary. To resolve these features, the loader traverses the export lists of all loaded libraries by way of the InMemoryOrderModuleList of the PEB. Every export’s title is hashed, then in comparison with the anticipated worth. The FNV-1a hash algorithm, just lately introduced again into the mainstream by the Sunburst backdoor, has beforehand been utilized by Mustang Panda, in Korplug loaders documented by XORHEX, to resolve GetProcAddress and LoadLibraryA, though it was not recognized by title in that evaluation. On this model, nevertheless, it’s used for all API features.

Korplug backdoor

Korplug (often known as PlugX) is a RAT utilized by a number of APT teams. Despite it being so broadly used, or maybe due to it, few experiences extensively describe its instructions and the information it exfiltrates. Its performance is just not fixed between variants, however there does appear to exist a major overlap within the record of instructions between the model we analyzed and different sources such because the Avira report from January 2020 and the plugxdecoder undertaking on GitHub.

As beforehand talked about, the variant used on this marketing campaign bears many similarities to the THOR variant, which is why we now have named it Hodur. The similarities embrace the usage of the SoftwareCLASSESms-pu registry key, the identical format for C&C servers within the configuration, and use of the Static window class.

As anticipated for Korplug payloads, this stage is simply ever decrypted in reminiscence by the loader. Solely the encrypted model is written to disk in a file with a .dat extension.

Except said in any other case, all hardcoded strings mentioned on this part are saved as encrypted stack strings.

On this module, Home windows API features are obfuscated by way of a mix of the strategies utilized in earlier levels. LoadLibraryA and GetProcAddress are resolved by way of the FNV-1a hashing method and stack strings are decrypted and handed to them to acquire the goal perform.


As soon as decrypted, the payload is a sound DLL that exports a single perform. In nearly all noticed samples from this marketing campaign, this perform is called StartProtect. Nevertheless, launching it instantly by way of this export or its entry level won’t execute the primary payload and the loading course of is kind of intricate.

As defined within the earlier part, the file is decrypted in reminiscence as a steady blob by the loader and the execution begins at offset 0x00. The PE header accommodates shellcode, proven in Determine 6, that calls a selected offset that corresponds to the module’s single export.

Determine 6. Shellcode within the PE header that calls the exported perform

This perform parses the PE blob in reminiscence and manually maps it as a library right into a newly allotted buffer. This contains mapping the assorted sections, resolving imports and, lastly, utilizing DLL_PROCESS_ATTACH to name the DLL entry level. As soon as once more, opaque predicates and junk code are used to obfuscate the aim of this perform.

The entry level of the correctly loaded library is then known as with the non-standard worth of 0x04 for the fdwReason parameter (solely values from 0x00 to 0x03 are currently defined). This particular worth is required to get it to execute its primary payload. This straightforward examine prevents the RAT from being trivially executed instantly with a generic device like rundll32.exe.

The backdoor first decrypts its configuration utilizing the string 123456789 as a repeating XOR key. As soon as decrypted, the configuration block begins with ########. The format of the configuration varies barely between samples, however all of them comprise no less than the next fields:

  • Set up listing title. Additionally used because the title of the registry key created for persistence. This worth roughly corresponds to the title of the abused utility with three random letters appended (e.g., FontEDLZeP or AdobePhotosGQp)
  • Mutex title
  • A worth that’s both a model or ID string
  • Listing of C&C servers. Every entry contains IP handle, port quantity, and a quantity indicating the protocol to make use of with that C&C

The backdoor then checks the trail from which it’s operating utilizing GetModuleFileNameW. If this matches %userprofile%<set up listing> or %allusersprofile%<set up listing>, the RAT performance shall be executed. In any other case, it can undergo the set up course of.

Set up

To put in itself, the malware creates the aforementioned listing underneath %allusersprofile%. Utilizing SetFileAttributesW, it’s then marked as hidden and system. The susceptible executable, loader module, and encrypted Korplug recordsdata are copied to the brand new listing.

Subsequent, persistence is established. Earlier samples achieved this by making a scheduled process to be run at boot by way of schtasks.exe. Newer samples add a registry entry to SoftwareMicrosoftWindowsCurrentVersionRun, attempting the HKLM hive first, then HKCU. This entry has the identical title because the set up listing with its worth set to the newly copied executable’s path.

As soon as persistence has been arrange, the malware launches the executable from its new location and exits.


The RAT performance of the Hodur variant used on this marketing campaign largely strains up with different Korplug variants, with some extra instructions and traits. As we now have beforehand said, although, detailed analyses of Korplug instructions are few and much between, so we purpose to supply such an evaluation within the hopes of aiding future analysts.

When on this mode, the backdoor iterates by way of the record of C&C servers in its configuration till it reaches the tip or receives an Uninstall command. For every of these servers, it processes instructions till it receives a Cease command or encounters an error.

Hodur’s preliminary handshake will be completed over HTTPS or TCP. That is decided by a worth within the configuration for that individual C&C server. Subsequent communication is at all times completed over TCP utilizing a customized protocol that we describe on this part, together with the instructions that may be issued. Hodur makes use of sockets from the Home windows Sockets API (Winsock) that assist overlapped I/O.

Following the preliminary handshake, Hodur’s communications contain TCP messages that include a header, with the construction described in Desk 2, adopted by a message physique that’s often compressed utilizing LZNT1 and at all times encrypted with RC4. Messages whose Command quantity header subject have the 0x10000000 bit set (people who comprise file contents for the ReadFile and WriteFile instructions, described in Desk 3) have encrypted however not compressed message our bodies. All encrypted message our bodies use the hardcoded key sV!e@T#L$PH% with a four-byte random nonce (the worth at offset 0x00 within the header) appended to it.

Desk 2. Header format used for communication between the C&C and the backdoor

0x00NonceRandom nonce appended to the RC4 key.
0x04Command quantityThis subject signifies the command to run or the command that brought on this response to be despatched.
0x08Size of physiqueSize of the message physique. It appears that evidently this subject isn’t checked by the consumer for messages from the C&C server.
0x0CCommand exit standingThe return or error worth of the command that was run. This subject is just not checked by the consumer in messages acquired from the C&C server.

Hodur’s C&C message headers are transmitted within the clear, adopted by variably sized (the worth at offset 0x08 of the header) message our bodies. The format of the message physique varies per command, however as soon as decrypted and decompressed, values of variable size (like strings) are at all times at a message physique’s finish and their offset within the physique is saved as an integer within the corresponding message subject.

Just like the model described by Avira, Hodur has two teams of instructions – 0x1001 and 0x1002 – every with its personal handler. The C&C server can set which group to hear for by sending the corresponding ID because the command quantity when a consumer is just not already in one of many two modes. It should proceed to hear for a similar group till it receives the Cease command, or an error happens (together with receiving a message with an invalid Command quantity in its header).

The primary group, 0x1001, accommodates instructions for managing the execution of the backdoor and doing preliminary reconnaissance on a newly compromised host. As these instructions take no arguments, messages despatched by the C&C server consist solely of the headers. Desk 3 accommodates a listing of those instructions. The GetSystemInfo command is described in additional element beneath. Notice that no command names are current within the RAT; they have been both taken from earlier analyses or supplied by us.

Desk 3. Instructions in group 0x1001

IDTitleDescriptionKnowledge in consumer response
0x1000PingDespatched by the consumer when it begins listening for instructions from this group.Between 0 and 64 random bytes
0x1001GetSystemInfoGet details about the system.See Desk 4
0x1002ListenThreadBegin a brand new thread that listens for group 0x1002 instructions.None
0x1004ResetConnectionTerminate with WSAECONNRESET.N/A
0x1005UninstallDelete persistence registry keys, take away itself and created folders.None
0x1007CeaseSet registry key SystemCurrentControlSetControl‌Networkallow to 1 and exit.N/A

The GetSystemInfo command collects in depth details about the system, as detailed in Desk 4. If it doesn’t exist already, the SoftwareCLASSESms-puCLSID registry secret’s set to the present timestamp, attempting HKLM first then HKCU. The worth of this secret’s then despatched within the response.

Desk 4. Response physique format for the GetSystemInfo response

0x00Magic bytes 0x201903010x38Suite masks
0x04Consumer IP handle of the C&C socket0x3AProduct kind
0x08Server IP handle of the C&C socket0x3C0x01 if the method is operating as WOW64
0x0CRAM in KB0x40System time – 12 months
0x10CPU clock fee in MHz0x42System time – month
0x14Show width in pixels0x44Timestamp of first run (offset)
0x18Show peak in pixels0x46Service pack model string (offset)
0x1CDefault locale0x48Unknown
0x20Present tick rely0x4AUsername (offset)
0x24OS main model0x4CLaptop title (offset)
0x28OS minor model0x4EMutex title (offset)
0x2COS construct quantity0x50Unknown
0x30OS platform ID0x52Listing of machine IP addresses (offset)
0x34Service pack main model0x54All the time two 0x00 bytes
0x36Service pack minor model

The 0x1002 group accommodates instructions that present RAT performance, as detailed in Desk 5. A few of these take parameters supplied within the command’s message physique. The FindFiles command is described in additional element beneath. Once more, be aware that no command names are current within the RAT; they have been both taken from earlier analyses or supplied by us.

Desk 5. Instructions in group 0x1002

IDTitleDescriptionKnowledge in C&C requestKnowledge in consumer response
0x1002PingDespatched by the consumer when it begins listening for instructions from this group.N/ANone
0x3000ListDrivesListing all mapped drives (A: to Z:) and their properties.
All 26 entries are despatched again in a single message physique. Drives that aren’t current have all fields set to 0x00.
None· Drive kind
· Whole measurement
· House out there to consumer
· Free area
· Quantity title (offset)
· File system title (offset)
0x3001ListDirectoryListing the contents of the desired listing. The consumer sends one response message per entry.Listing path· Is a listing?
· File attributes
· File measurement
· Creation time
· Final write time
· Filename (offset)
· 8.3 filename (offset)
0x3002Despatched by the consumer when it has completed executing the ListDirectory command.N/ANone
0x3004ReadFileLearn a file in chunks of 0x4000 bytes.· Creation time
· Final entry time
· Final write time
· Has offset
· Offset in file
· File measurement
· File path
0x10003005Chunk of learn file knowledge.N/ALearn knowledge
0x10003006Despatched by the consumer when it has completed executing the ReadFile command.N/ANone
0x3007WriteFileWrite to a file and restore earlier timestamp.
Creates father or mother directories in the event that they don’t exist.
· Creation time
· Final entry time
· Final write time
· Has offset
· Offset in file
· File path (offset)
0x10003008Despatched by the server with knowledge to write down to the file.Knowledge to write downN/A
0x10003009Despatched by the server when the WriteFile operation is full.NoneN/A
0x300ACreateDirectoryCreate a listing.Listing pathNone
0x300BCanReadFileAttempt to open a file with learn permissions.File pathNone
0x300CDesktopExecuteExecute a command on a hidden desktop.Command line to executePROCESS_INFORMATION construction for the created course of.
0x300DFileOperationCarry out a file operation utilizing SHFileOperation.· wFunc
· fFlags
· pFrom (offset)
· pTo (offset)
0x300EGetEnvValueGet the worth of an setting variable.Setting variableSetting variable worth.
0x300FCreateProgramDataDirCreates the listing %SYSTEMpercentProgramData, optionally with a subdirectory.Subdirectory relative path (non-compulsory)None
0x3102FindFilesRecursively search a listing for recordsdata matching a given sample.· Beginning listing
· Search sample
See response physique format in Desk 6.
0x7002RemoteShellBegin an interactive distant cmd.exe session.NoneNone
0x7003Results of the final command run.N/ACommand output

FindFiles command

Ranging from the supplied listing, this command searches for recordsdata whose names match the given sample. This sample helps the identical wildcard characters because the Home windows FindFirstFile API. For every matching file, the consumer sends a response message with its physique within the format described in Desk 6.

Desk 6. Format of the response physique for the FindFiles command

0x00File attributes0x24Folder path (offset)
0x04File measurement in bytes0x26Filename (offset)
0x0CCreation time0x288.3 filename (offset)
0x1CFinal write time

One response message with an empty physique is shipped as soon as the search is accomplished.


The decoys used on this marketing campaign present as soon as extra how rapidly Mustang Panda is ready to react to world occasions. For instance, an EU regulation on COVID-19 was used as a decoy solely two weeks after it got here out, and paperwork in regards to the battle in Ukraine began getting used within the days following the start of the launch of the invasion. This group additionally demonstrates a capability to iteratively enhance its instruments, together with its signature use of trident downloaders to deploy Korplug.

For any inquiries about our analysis revealed on WeLiveSecurity, please contact us at
ESET Analysis now additionally affords personal APT intelligence experiences and knowledge feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.


SHA-1FilenameESET detection titleDescription
69AB6B9906F8DCE03B43BEBB7A07189A69DC507Bcoreclr.dllWin32/Agent.ADMWKorplug loader.
10AE4784D0FFBC9CD5FD85B150830AEA3334A1DEN/AWin32/Korplug.TCDecrypted Korplug (dumped from reminiscence).
69AB6B9906F8DCE03B43BEBB7A07189A69DC507Bcoreclr.dllWin32/Agent.ADMWKorplug loader.
4EBFC035179CD72D323F0AB357537C094A276E6DPowerDVD18.exeWin32/Delf.UTNKorplug loader.
FDBB16B8BA7724659BAB5B2E1385CFD476F10607N/AWin32/Korplug.TBDecrypted Korplug (dumped from reminiscence).
7E059258CF963B95BDE479D1C374A4C300624986N/AWin32/Korplug.TCDecrypted Korplug (dumped from reminiscence).
7992729769760ECAB37F2AA32DE4E61E77828547SHELLSEL.ocxWin32/Agent.ADMWKorplug loader.
F05E89D031D051159778A79D81685B62AFF4E3F9SymHp.exeWin32/Delf.UTNKorplug loader.
AB01E099872A094DC779890171A11764DE8B4360BoomerangLib.dllWin32/Korplug.THKorplug loader.
CDB15B1ED97985D944F883AF05483990E02A49F7PotPlayer.dllWin32/Agent.ADYOKorplug loader.
908F55D21CCC2E14D4FF65A7A38E26593A0D9A70SmadHook32.dllWin32/Agent.ADMWKorplug loader.
477A1CE31353E8C26A8F4E02C1D378295B302C9EN/AWin32/Agent.ADMWKorplug loader.
52288C2CDB5926ECC970B2166943C9D4453F5E92SmadHook32c.dllWin32/Agent.ADMWKorplug loader.
CBD875EE456C84F9E87EC392750D69A75FB6B23ASHELLSEL.ocxWin32/Agent.ADMWKorplug loader.
2CF4BAFE062D38FAF4772A7D1067B80339C2CE82Adobe_Caps.dllWin32/Agent.ADMWKorplug loader.
97C92ADD7145CF9386ABD5527A8BCD6FABF9A148DocConvDll.dllWin32/Agent.ADYOKorplug loader.
39863CECA1B0F54F5C063B3015B776CDB05971F3N/AWin32/Korplug.TDDecrypted Korplug (dumped from reminiscence).
0D5348B5C9A66C743615E819AEF152FB5B0DAB97FontEDL.execlearSusceptible respectable Font File Generator executable.
C8F5825499315EAF4B5046FF79AC9553E71AD1C0Silverlight.Configuration.execlearSusceptible respectable Microsoft Silverlight Configuration Utility executable.
D4FFE4A4F2BD2C19FF26139800C18339087E39CDPowerDVDLP.execlearSusceptible respectable PowerDVD executable.
65898ACA030DCEFDA7C970D3A311E8EA7FFC844ASymantec.execlearSusceptible respectable Symantec AntiVirus executable.
7DDB61872830F4A0E6BF96FAF665337D01F164FCAdobe Inventory Images CS3.execlearSusceptible respectable Adobe Inventory Images executable.
C13D0D669365DFAFF9C472E615A611E058EBF596COVID-19 journey restrictions EU opinions record of third nations.exeWin32/Agent_AGen.NJDownloader.
062473912692F7A3FAB8485101D4FCF6D704ED23REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL.exeWin32/TrojanDownloader.Agent.GDLDownloader.
2B5D6BB5188895DA4928DD310C7C897F51AAA050log.dllWin32/Agent.ACYWKorplug loader.
511DA645A7282FB84FF18C33398E67D7661FD6632.exeWin32/Agent.ADPLKorplug loader.
59002E1A58065D7248CD9D7DD62C3F865813EEE6log.dllWin32/Agent.ADXEKorplug loader.
F67C553678B7857D1BBC488040EA90E6C52946B3KINGSTON.exeWin32/Agent.ADXZKorplug Loader.
58B6B5FD3F2BFD182622F547A93222A4AFDF4E76PotPlayer.execlearSusceptible respectable executable.


AreaIPFirst seenNotes
103.56.53[.]1202021‑06‑15Korplug C&C
154.204.27[.]1812020‑10‑05Korplug C&C.
43.254.218[.]422021‑02‑09Obtain server.
45.131.179[.]1792020‑10‑05Korplug C&C.
176.113.69[.]912021-04-19Korplug C&C.
upespr[.]com45.154.14[.]2352022-01-17Obtain server.
urmsec[.]com156.226.173[.]232022‑02‑23Obtain server.
101.36.125[.]2032021-06-01Korplug C&C.
185.207.153[.]2082022‑02‑03Obtain server.
154.204.27[.]1302021-12-14Korplug C&C.
92.118.188[.]782022-01-27Korplug C&C.
zyber-i[.]com107.178.71[.]2112022-03-01Obtain server.
locvnpt[.]com103.79.120[.]662021-05-21Obtain server. This area was beforehand utilized in a 2020 marketing campaign documented by Recorded Future.

MITRE ATT&CK methods

This desk was constructed utilizing version 10 of the MITRE ATT&CK framework.

Useful resource GrowthT1583.001Purchase Infrastructure: DomainsMustang Panda has registered domains to be used as obtain servers.
T1583.003Purchase Infrastructure: Digital Non-public ServerSome obtain servers utilized by Mustang Panda look like on shared internet hosting.
T1583.004Purchase Infrastructure: ServerMustang Panda makes use of servers that look like unique to the group.
T1587.001Develop Capabilities: MalwareMustang Panda has developed customized loader and Korplug variations.
T1588.006Get hold of Capabilities: VulnerabilitiesA number of DLL hijacking vulnerabilities are used within the deployment course of.
T1608.001Stage Capabilities: Add MalwareMalicious payloads are hosted on the obtain servers.
ExecutionT1059.003Command and Scripting Interpreter: Home windows Command ShellHome windows command shell is used to execute instructions despatched by the C&C server.
T1106Native APIMustang Panda makes use of CreateProcess and ShellExecute for execution.
T1129Shared ModulesMustang Panda makes use of LoadLibrary to load extra DLLs at runtime. The loader and RAT are DLLs.
T1204.002Person Execution: Malicious FileMustang Panda depends on the consumer executing the preliminary downloader.
T1574.002Hijack Execution Stream: DLL Facet-LoadingThe downloader obtains and launches a susceptible utility so it masses and executes the malicious DLL that accommodates the second stage.
PersistenceT1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderKorplug can persist by way of registry Run keys.
T1053.005Scheduled Job/Job: Scheduled JobKorplug can persist by making a scheduled process that runs on startup.
Protection EvasionT1140Deobfuscate/Decode Recordsdata or InfoThe Korplug file is encrypted and solely decrypted at runtime, and its configuration knowledge is encrypted with XOR.
T1564.001Cover Artifacts: Hidden Recordsdata and DirectoriesDirectories created through the set up course of are set as hidden system directories.
T1564.003Cover Artifacts: Hidden WindowKorplug can run instructions on a hidden desktop. A number of hidden home windows are used through the deployment course of.
T1070Indicator Elimination on HostKorplug’s uninstall command deletes registry keys that retailer knowledge and supply persistence.
T1070.004Indicator Elimination on Host: File DeletionKorplug can take away itself and all created directories.
T1070.006Indicator Elimination on Host: TimestompWhen writing to a file, Korplug units the file’s timestamps to their earlier values.
T1036.004Masquerading: Masquerade Job or ServiceScheduled duties created for persistence use legitimate-looking names.
T1036.005Masquerading: Match Authentic Title or LocationFile and listing names match anticipated values for the respectable app that’s abused by the loader.
T1112Modify RegistryKorplug can create, modify, and take away registry keys.
T1027Obfuscated Recordsdata or InfoSome downloaded recordsdata are encrypted and saved as hexadecimal strings.
T1027.005Obfuscated Recordsdata or Info: Indicator Elimination from InstrumentsImports are hidden by dynamic decision of API perform names.
T1055.001Course of Injection: Dynamic-link Library InjectionSome variations of the Korplug loader inject the Korplug DLL right into a newly launched course of.
T1620Reflective Code LoadingKorplug parses and masses itself into reminiscence.
DiscoveryT1083File and Listing DiscoveryKorplug can record recordsdata and directories together with their attributes and content material.
T1082System Info DiscoveryKorplug collects in depth details about the system together with uptime, Home windows model, CPU clock fee, quantity of RAM and show decision.
T1614System Location DiscoveryKorplug retrieves the system locale utilizing GetSystemDefaultLCID.
T1016System Community Configuration DiscoveryKorplug collects the system hostname and IP addresses.
T1016.001System Community Configuration Discovery: Web Connection DiscoveryThe downloader pings Google’s DNS server to examine web connectivity.
T1033System Proprietor/Person DiscoveryKorplug obtains the present consumer’s username.
T1124System Time DiscoveryKorplug makes use of GetSystemTime to retrieve the present system time.
AssortmentT1005Knowledge from Native SystemKorplug collects in depth knowledge in regards to the system it’s operating on.
T1025Knowledge from Detachable MediaKorplug can accumulate metadata and content material from all mapped drives.
T1039Knowledge from Community Shared DriveKorplug can accumulate metadata and content material from all mapped drives.
Command and ManagementT1071.001Utility Layer Protocol: Net ProtocolsKorplug could make the preliminary handshake over HTTPS.
T1095Non-Utility Layer ProtocolC&C communication is completed over a customized TCP-based protocol.
T1573.001Encrypted Channel: Symmetric CryptographyC&C communication is encrypted utilizing RC4.
T1008Fallback ChannelsThe Korplug configuration accommodates fallback C&C servers.
T1105Ingress Instrument SwitchKorplug can obtain extra recordsdata from the C&C server.
T1571Non-Customary PortWhen Hodur performs its preliminary handshake over HTTPS, it makes use of the identical port (specified within the configuration) as for the remainder of the communication.
T1132.001Knowledge Encoding: Customary EncodingKorplug compresses transferred knowledge utilizing LZNT1.
ExfiltrationT1041Exfiltration Over C2 ChannelKnowledge exfiltration is completed by way of the identical customized protocol used to ship and obtain instructions.

Source link

Leave a Reply