Research Roundup: Mustang Panda and Fancy Bear

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.

In this edition, we cover:

  • Mustang Panda PlugX
  • Fancy Bear
  • Emotet
  • Prometei

 

Roundup Highlight: Mustang Panda

20200728A: File Matching YARA Rule Associated to Mustang Panda PlugX

 

Our highlight in this Roundup is Incident 20200728A: File Matching YARA Rule Associated to Mustang Panda PlugX. File d92a74ec57e53d449e0f0d4053f8adb6e1bb6ca339284e1e0045d416fcd022a6 was identified via a YARA rule as a Mustang Panda PlugX binary.

The embedded config contains the following Command and Control locations which have been associated with this Incident:

185.239.226(.)65:80
185.239.226(.)65:443

Probable connection to Mustang Panda is due to the similarity in the PlugX samples when compared to the details found at:

https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/

Similar traits include:

  • The same config decryption key was used: “123456789”
  • The binary is obfuscated using a 10 byte XOR key.
  • The use of shell code in the MZ header

File d92a74ec57e53d449e0f0d4053f8adb6e1bb6ca339284e1e0045d416fcd022a6 was decrypted from File 27ea939f41712a8655dc2dc0bce7d32a85e73a341e52b811b109befc043e762a.

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

 

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).


To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.

About the Author
ThreatConnect Research Team

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.