Backdoor Trojan Found in Myanmar Ministry of Defence tied to Chinese Military [Mustang Panda]
First Cambodia and the Phillippines, on to Myanmar.
The PLA’s campaign in forcing their interests in Southeast Asia continues, researchers finding artifacts from Mustang Panda tactics and protocols uploaded to the VirusTotal platform between November of 2023 and January, 2024.
"The most prominent of these TTPs are the use of legitimate software including a binary developed by engineering firm Bernecker & Rainer (B&R) and a component of the Windows 10 upgrade assistant to sideload malicious dynamic-link libraries (DLLs)," according to CSIRT-CTI.
"The threat actors attempt to disguise the [C2] traffic as Microsoft update traffic by adding the 'Host: www.asia.microsoft.com' and 'User-Agent: Windows-Update-Agent' headers," CSIRT-CTI noted, mirror a May 2023 campaign disclosed by Lab52.
"Following the rebel attacks in northern Myanmar [in October 2023], China has expressed concern regarding its effect on trade routes and security around the Myanmar-China border," CSIRT-CTI said.
"Stately Taurus operations are known to align with geopolitical interests of the Chinese government, including multiple cyberespionage operations against Myanmar in the past."
According to HackerNews, sideloading DLL’s is used to “establish persistence and contact with a command-and-control (C2) server and retrieve a known backdoor called PUBLOAD, which, in turn, acts as a custom loader to drop the PlugX implant”.
PlugX is a common tool used by PLA-tied hackers, according to a Wired news article from last year.
According to a cybersecurity alert [to Wired], Chinese-linked hackers were able to break into mail servers operated by the Association of Southeast Asian Nations (ASEAN) in February 2022 and steal a trove of data. The ASEAN organization is an intergovernmental body made up of 10 Southeast Asian countries, including Singapore, Malaysia, and Thailand. This was the third time the organization has been compromised since 2019, the document says.
The hackers were able to steal “gigabytes” of emails sent by ASEAN countries, and the data was stolen “daily,” according to the cybersecurity alert. It’s believed that the attackers stole more than 10,000 emails, making up more than 30 GB of data. The incident “impacts all ASEAN members due to correspondence that was compromised,” the alert says. The notification was sent to cybersecurity agencies, foreign affairs ministries, and other governmental organizations in all 10 of the ASEAN member countries.
The cybersecurity alert advised member countries to reset credentials, monitor remote email collection from unknown locations, and defend against the vulnerabilities. It also notes that this isn’t the first time Chinese threat actors have compromised ASEAN. In July 2021, the alert says, the ShadowPad malware was used to compromise the organization. Meanwhile, between May and October 2019, Chinese attackers used the PlugX malware to steal more than 100 ASEAN-related documents.
The question is a not a matter when, not if China uses more aggressive tactics against its more amiable regional neighbors, and onto its foreign enemies.
China has history of severe cyber attacks against Malaysian government institutions dating earlier than 2010.