ThreatConnect Podcast

ThreatConnect Ep. 4: Linking Mustang Panda & CrimsonIAS

New research from the ThreatConnect research team suggests CrimsonIAS may be an additional tool in Mustang Panda’s (aka BRONZE PRESIDENT, RedDelta) repertoire.

In this episode of the ThreatConnect Podcast, we talk with the researcher who discovered the possible link.

Read the full Cyber Threat Intelligence Research Report,CrimsonIAS: Listening for an 3v1l User, now.

CrimsonIAS is a Delphi-written backdoor dating back to at least 2017 that enables operators to run command line tools, exfiltrate files, and upload files to the infected machine. CrimsonIAS is notable as it listens for incoming connections only; making it different from typical Windows backdoors that beacons out. The characteristics found in CrimsonIAS’s execution flow suggest a connection to Mustang Panda (aka BRONZE PRESIDENT, RedDelta) PlugX samples.  Based on those non-unique characteristics, ThreatConnect assesses with low confidence that CrimsonIAS is an additional tool in Mustang Panda’s repertoire.