Research Roundup: Mustang Panda and RedDelta PlugX Using Same C2

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account.

In this edition, we cover:

• Mustang Panda PlugX
• RedDelta PlugX
• New Suspicious Domains
• Gozi
• Emotet

Roundup Highlight: Mustang Panda and RedDelta PlugX Using Same C2

Our highlight in this Roundup are Incidents 20200827A: File Matching YARA Rule Associated to RedDelta PlugX and 20200827B: File Matching YARA Rule Associated to Mustang Panda PlugX. ThreatConnect Research identified PlugX samples 119238ed27dd6e4206ea90fae9f57116814e0c538ae10329c0d6f2ff22b31d99 (RedDelta variant) and 7dc1bd6296d87af376c35dbd1033266360bacc69074bb8dc688d6ef501aecbcd (Mustang Panda variant) via two independent YARA rules.

The embedded configurations contain the following C2 locations:

RedDelta:

www.destroy2013[.]com:80
www.destroy2013[.]com:443
www.fitehook[.]com:8080
www.fitehook[.]com:53

Mustang Panda:

www.destroy2013[.]com:80
www.destroy2013[.]com:8080
www.destroy2013[.]com:443
www.destroy2013[.]com:53

The two samples also share the following traits:

• The same config decryption key was used: “123456789”
• The use of shell code in the MZ header

The malware configuration similarities and C2 overlap could be indicative of two teams working closely together using shared resources but possibly with slightly different action on objectives.

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

• 20200828B: Suspicious Set of Domains Registered Through Njalla and Using Cloudflare ThreatConnect Research identified a set of over 60 suspicious domains that were registered at essentially the same time on August 25 2020 through Njalla and seemingly have various themes. Most of the domains began using Cloudflare services after registration, while some are using ihostdns[.]ru name servers. Of note, many of the identified domains resolved to the same IP address prior to employing Cloudflare services. The identified domains currently host “coming soon” pages and we don’t have any idea of the extent to which, or for what, they may be operationalized.
• 20200903A: Actors Registering Suspicious Domains Through ITitch and MonoVM ThreatConnect Research identified two sets of suspicious domain registrations in late August 2020 where the actor used the same email address to register domains minutes apart through ITitch and MonoVM. The registered domains were also hosted on probable dedicated servers.

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

• Gozi: The Malware with a Thousand Faces (Source: https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/)
• Emotet C2 Deltas from 2020/08/27 as of 11:20EDT or 15:20UTC (Source: https://paste.cryptolaemus.com/emotet/2020/08/27/emotet-C2-Deltas-1120-1520_08-27-20.html)
• Daily Emotet IoCs and Notes for 08/31/20 (Source: https://paste.cryptolaemus.com/emotet/2020/08/31/emotet-malware-IoCs_08-31-20.html)
• Emotet C2 Deltas from 2020/08/31 as of 8:00EDT or 12:00UTC (Source: https://paste.cryptolaemus.com/emotet/2020/08/31/emotet-C2-Deltas-0800-1200_08-31-20.html)
• Daily Emotet IoCs and Notes for 09/01/20 (Source: https://paste.cryptolaemus.com/emotet/2020/09/01/emotet-malware-IoCs_09-01-20.html)