Research Roundup: Mustang Panda and RedDelta PlugX Using Same C2

Howdy, and welcome to the ThreatConnect Research Roundup, a collection of recent findings by our Research Team and items from open source publications that have resulted in Observations of related indicators across ThreatConnect’s CAL™ (Collective Analytics Layer).

Note: Viewing the pages linked in this blog post requires a ThreatConnect account. If you don’t have one, please click here to request your free TC Open account.

In this edition, we cover:

  • Mustang Panda PlugX
  • RedDelta PlugX
  • New Suspicious Domains
  • Gozi
  • Emotet

Roundup Highlight: Mustang Panda and RedDelta PlugX Using Same C2

 

Host www.destroy2013[.]com in ThreatConnect Common Community

 

Our highlight in this Roundup are Incidents 20200827A: File Matching YARA Rule Associated to RedDelta PlugX and 20200827B: File Matching YARA Rule Associated to Mustang Panda PlugX. ThreatConnect Research identified PlugX samples 119238ed27dd6e4206ea90fae9f57116814e0c538ae10329c0d6f2ff22b31d99 (RedDelta variant) and 7dc1bd6296d87af376c35dbd1033266360bacc69074bb8dc688d6ef501aecbcd (Mustang Panda variant) via two independent YARA rules.

The embedded configurations contain the following C2 locations:

RedDelta:

www.destroy2013[.]com:80
www.destroy2013[.]com:443
www.fitehook[.]com:8080
www.fitehook[.]com:53

Mustang Panda:

www.destroy2013[.]com:80
www.destroy2013[.]com:8080
www.destroy2013[.]com:443
www.destroy2013[.]com:53

The two samples also share the following traits:

  • The same config decryption key was used: “123456789”
  • The use of shell code in the MZ header

The malware configuration similarities and C2 overlap could be indicative of two teams working closely together using shared resources but possibly with slightly different action on objectives.

ThreatConnect Research Team Intelligence: Items recently created or updated in the ThreatConnect Common Community by our Research Team.

  • 20200828B: Suspicious Set of Domains Registered Through Njalla and Using Cloudflare ThreatConnect Research identified a set of over 60 suspicious domains that were registered at essentially the same time on August 25 2020 through Njalla and seemingly have various themes. Most of the domains began using Cloudflare services after registration, while some are using ihostdns[.]ru name servers. Of note, many of the identified domains resolved to the same IP address prior to employing Cloudflare services. The identified domains currently host “coming soon” pages and we don’t have any idea of the extent to which, or for what, they may be operationalized.
  • 20200903A: Actors Registering Suspicious Domains Through ITitch and MonoVM ThreatConnect Research identified two sets of suspicious domain registrations in late August 2020 where the actor used the same email address to register domains minutes apart through ITitch and MonoVM. The registered domains were also hosted on probable dedicated servers.

 

Technical Blogs and Reports Incidents with Active and Observed Indicators: Incidents associated to one or more Indicators with an Active status and at least one global Observation across the ThreatConnect community. These analytics are provided by ThreatConnect’s CAL™ (Collective Analytics Layer).

To receive ThreatConnect notifications about any of the above, remember to check the “Follow Item” box on that item’s Details page.

About the Author
ThreatConnect Research Team

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.