China’s state-sponsored cyber-espionage group, Mustang Panda, has significantly upgraded its malware toolkit, raising alarms for cybersecurity experts globally. Known for targeting governments, military organizations, NGOs, and major corporations, Mustang Panda’s recent activities suggest that their operations are becoming more sophisticated, particularly in their attempts to evade detection. With a renewed arsenal of attack tools and more persistent malware, defenders are now facing even more daunting challenges in protecting sensitive data.
The Tools Behind Mustang Panda’s New Malware
Mustang Panda, also known by names like Bronze President, Stately Taurus, and TA416, has long been associated with espionage campaigns targeting various sectors, primarily in East and Southeast Asia, though also affecting Western countries. Their focus on strategic political, military, and corporate targets has made them one of the more infamous Advanced Persistent Threat (APT) groups backed by the Chinese government. The group’s latest updates to its malware suite reflect a trend towards more advanced and stealthy methods of cyber intrusion.
Keyloggers PAKLOG and CorKLOG: Stealth at the Keyboard Level
Among the most recent additions to Mustang Panda’s toolkit are two new keyloggers: PAKLOG and CorKLOG. Keyloggers are a favored method for espionage groups, silently recording the keystrokes of their targets. However, these two tools bring additional layers of sophistication.
-
PAKLOG captures keystrokes and clipboard data, which are useful for extracting sensitive information like login credentials or confidential documents.
-
CorKLOG takes it a step further by prioritizing data persistence and encryption, making it harder for defenders to detect and stop the malicious activity. The encrypted logs ensure that even if the tool is discovered, the stolen data remains protected.
Unlike many other keyloggers, these two lack direct exfiltration capabilities, which means the attackers likely rely on manual extraction methods to collect the captured data. This adds an extra layer of complexity for cybersecurity professionals attempting to track data leaks in real-time.
“ToneShell” and StarProxy: A Persistent Backdoor and Lateral Movement
One of Mustang Panda’s most well-known tools, “ToneShell,” has seen an upgrade. This backdoor has been part of the group’s arsenal for years, allowing them to maintain persistent access to compromised systems. The latest version introduces modifications that improve how infected machines are identified and how they communicate with the attacker’s command-and-control (C2) infrastructure. These subtle updates ensure that the backdoor can evade detection by traditional defense mechanisms.
Alongside ToneShell, Mustang Panda has introduced StarProxy, a new tool designed to enhance lateral movement across compromised networks. StarProxy uses FakeTLS, a protocol that disguises malicious traffic as legitimate encrypted data, making it harder for network monitoring systems to spot abnormal activity. Once inside a network, StarProxy can spread from one compromised machine to another, further increasing the group’s control over the targeted infrastructure.
SplatCloak: Evasion at the Kernel Level
Perhaps one of the most concerning additions to Mustang Panda’s arsenal is SplatCloak, a driver designed to bypass antivirus protections. By targeting the kernel-level operations of security software like Windows Defender and Kaspersky, SplatCloak disables critical callbacks that antivirus programs use to flag suspicious activity. The result is a stealthier infection that can run undetected while other malware tools continue to operate freely on the system.
This driver, however, is not self-sufficient. It requires the use of SplatDropper, a utility that installs SplatCloak but deletes itself after the task is complete, leaving behind no trace. This evasion technique further complicates the ability of cybersecurity professionals to trace and stop the malware.
Mustang Panda’s Tactics: A Well-Planned Approach to Cyber Espionage
According to researchers from Zscaler, Mustang Panda’s continuous tool updates and use of layered obfuscation techniques significantly improve the group’s operational security and attack efficacy. Their ability to keep refining their malware ensures that they can continue to evade detection and disrupt their targets with increasing precision. This calculated approach allows Mustang Panda to maintain a persistent presence on networks, making it difficult for defenders to eliminate the threat entirely.
With the group’s arsenal growing more sophisticated, organizations need to take proactive measures to defend against these emerging threats. Keeping endpoint security systems up to date, employing network traffic analysis, and being vigilant for signs of lateral movement within networks are essential steps in mitigating the risk of a Mustang Panda attack.
