ESET Research has discovered an ongoing cyber espionage campaign using a previously undocumented Korplug variant by the Mustang Panda APT group. The current campaign exploits the war in Ukraine and other European hot topics.
Known victims include research entities, Internet Service Providers (ISPs), and European diplomatic missions primarily located in East and Southeast Asia. Researchers named this new variant of Korplug Hodur because of its resemblance to the THOR variant documented in 2020. In Norse mythology, Hodur is the blind half-brother of Thor.
Victims of this campaign are likely lured by phishing materials abusing recent events in Europe such as Russia’s invasion of Ukraine. According to the UNHCR, more than three million people have fled the war to neighboring countries, leading to an unprecedented crisis on Ukraine’s borders. One of the filenames related to this campaign is “EU border situation with Ukraine.exe”.
Other phishing lures mention updated COVID-19 travel restrictions, an approved regional aid map for Greece and a European Parliament and Council regulation. The final lure is a real document available on the European Council website. This shows that the APT group behind this campaign follows the news and is able to react to it successfully and quickly.
“Based on code similarities and numerous commonalities in tactics, techniques and procedures, ESET researchers attribute this campaign with high confidence to Mustang Panda, also known as TA416, RedDelta or PKPLUG It is a cyber espionage group mainly targeting government entities and NGOs,” says Alexandre Côté Cyr, Malware Researcher at ESET, who discovered Hodur Mustang Panda’s victims are mainly, but not exclusively , located in East and Southeast Asia, with a focus on Mongolia.The group is also known for its campaign targeting the Vatican in 2020.
Although researchers were unable to identify the verticals of all of the victims, this campaign appears to have the same targeting goals as other Mustang Panda campaigns. Following typical APT victimology, most of the victims are in East and Southeast Asia, with some in European and African countries. According to ESET telemetry, the vast majority of targets are located in Mongolia and Vietnam, followed by Myanmar, with only a few in other affected countries, namely Greece, Cyprus, Russia, South Sudan and Turkey. ‘South Africa. The verticals identified include diplomatic missions, research entities and ISPs.
Mustang Panda campaigns frequently use custom loaders for shared malware, including Cobalt Strike, Poison Ivy, and Korplug (also known as PlugX). The band is also known for creating their own Korplug variations. “Compared to other campaigns using Korplug, every step of the deployment process uses anti-analysis and control-flow obfuscation techniques, which makes investigation more difficult for us malware researchers,” concludes Côté Cyr.