{"id":1931,"date":"2023-05-03T17:50:47","date_gmt":"2023-05-03T15:50:47","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=1931"},"modified":"2023-05-09T12:28:52","modified_gmt":"2023-05-09T10:28:52","slug":"new-mustang-pandas-campaing-against-australia","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/new-mustang-pandas-campaing-against-australia\/","title":{"rendered":"New Mustang Panda\u2019s campaing against Australia"},"content":{"rendered":"\n<p>AUKUS (Australia-United Kingdom-United States) is a strategic military alliance between these territories that became a reality in 2021, whose main objective is to build nuclear-powered submarines to counter the threat from China in the Indo-Pacific region. This agreement also includes the sharing of cyber capabilities and other submarine technologies. Some sources point out that this is not a security pact, but is rather intended to &#8220;elevate the intelligence and deterrence value of conventional capabilities&#8221;.<\/p>\n\n\n\n<p>The key facts of this alliance are as follows:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>The US pledged to invest $4.6 billion in the deal. Australia, for its part, will buy at least three second-hand submarines from the US early in the next decade. However, the US Congress has yet to approve this transaction. In addition, Australia will build a fleet of eight nuclear submarines. The first of these is expected to be ready in 2042.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>This partnership has upset both France and China. Australia will terminate the contract awarded to France to build 12 diesel-electric submarines. The importance of these submarines is reflected in their capabilities: compared to traditional submarines, they have a longer range, are harder to detect, can remain submerged for months and have a greater carrying capacity. However, they are larger, which is why nuclear submarines are more vulnerable to attack from the surface.<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>Last year, China called the deal &#8220;destabilising&#8221; and &#8220;provocative&#8221;. Mao Ning, spokesperson for China&#8217;s Foreign Ministry, said at a press conference on 9th March that Australia is contributing to the proliferation of nuclear weapons, is promoting an arms race and that this agreement only destabilises the Asia-Pacific region. In addition, China issued the following threat: &#8220;Australian troops are also more likely to be the first group of Western soldiers to waste their lives in the South China Sea&#8221;.<\/li><\/ul>\n\n\n\n<p>The Lab52 team has already detected the possibility that actors associated with China, especially Mustang Panda, could carry out attacks against the Australian government, notifying its clients.<\/p>\n\n\n\n<p>Lab52 has found a zip file named <em>Biography of Senator the Hon Don Farrell.zip<\/em>. Hon Don Farrell is the current Australian Secretary of State for Trade and Tourism, indicating a targeted campaign against Australia.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"752\" height=\"445\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-4.png\" alt=\"\" class=\"wp-image-1932\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-4.png 752w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-4-300x178.png 300w\" sizes=\"(max-width: 752px) 100vw, 752px\" \/><figcaption>Illustration 1 Senator Hon Don Farrell&#8217;s profile<\/figcaption><\/figure><\/div>\n\n\n\n<p>The zip drops two files. On the one hand, the legitimate application for process pdf files \u00a0Solid PDF Creator, renamed as \u201c<em><a href=\"https:\/\/www.virustotal.com\/gui\/file\/e2acbc36c2cce4050e34033c12f766fea58b4196d84cf40e979fac8fed24c942\">Biography of Senator the Hon Don Farrell\/Biography of Senator the Hon Don Farrell.exe<\/a>\u201d<\/em>, on the other hand, we have seen a malicious payload named SolidPDFCreator.dll. Persistence is done through a Dll Side Loading by the stager.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"863\" height=\"289\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-5.png\" alt=\"\" class=\"wp-image-1933\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-5.png 863w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-5-300x100.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-5-768x257.png 768w\" sizes=\"(max-width: 863px) 100vw, 863px\" \/><figcaption><em>Illustration 2 Stage activity <\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p>C:\\Windows\\SysWOW64\\cmd.exe \/C copy SolidPDFCreator.dll C:\\Users\\Public\\Libraries\\PhotoTvRHD\\SolidPDFCreator.dll &amp; reg add &#8220;HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run&#8221; \/v SolidPDF \/t reg_sz \/d &#8220;C:\\Users\\Public\\Libraries\\PhotoTvRHD\\SolidPDFCreator.exe&#8221; \/F &amp; schtasks \/F \/Create \/TN SolidPDF \/SC minute \/MO 1 \/TR C:\\Users\\Public\\Libraries\\PhotoTvRHD\\SolidPDFCreator.exe<\/p>\n\n\n\n<p>After that, the stager tries to impersonate common Microsoft update communications, hardconding a legitimate host header <a href=\"http:\/\/www.asia.microsoft.com\">www.asia.microsoft.com<\/a>, which, in fact, is requesting against 123.253.35[.]231 as C2.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"886\" height=\"297\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-6.png\" alt=\"\" class=\"wp-image-1934\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-6.png 886w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-6-300x101.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/image-6-768x257.png 768w\" sizes=\"(max-width: 886px) 100vw, 886px\" \/><figcaption>Illustration 3 Stage request<\/figcaption><\/figure><\/div>\n\n\n\n<p>It is worth noting that it does not download the PlugX malware in the first instance, as usual, but, similar to what has been reported previously by Talos Intelligence [1] or Cisco [2], it uses a custom-developed stager, subsequently providing the attacker with a reverse shell for a PlugX deployment.<\/p>\n\n\n\n<p>As can be seen, China has developed cyber capabilities that allow it to respond quickly to any geopolitical event that might affect its interests. The AUKUS treaty has been a regional destabilisation for China, and more campaigns are expected to continue to target Australia. Lab52 highlights how tracking and monitoring events in international relations allows us to understand the motivations of key actor-states.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>IOC<\/p>\n\n\n\n<p>123.253.35[.]231<\/p>\n\n\n\n<p>4fbfbf1cd2efaef1906f0bd2195281b77619b9948e829b4d53bf1f198ba81dc5<\/p>\n\n\n\n<p>e2acbc36c2cce4050e34033c12f766fea58b4196d84cf40e979fac8fed24c942<\/p>\n\n\n\n<p>3c4671b4a0c3e7da186bd356e07cf0daca7267addde668044b1ded42c6dbe09b<\/p>\n\n\n\n<p>5dde3bca0e5319c62d547bd0c37e621f2050598a347447bde832a9fc37efd97d<\/p>\n\n\n\n<p>167a842b97d0434f20e0cd6cf73d07079255a743d26606b94fc785a0f3c6736e<\/p>\n\n\n\n<p>41276827827b95c9b5a9fbd198b7cff2aef6f90f2b2b3ea84fadb69c55efa171<\/p>\n\n\n\n<p>f8e6b2e537325d6775d35755c8fe19ef89b27e1a7aba183490fbcbf2d52c15f4<\/p>\n\n\n\n<p>References<\/p>\n\n\n\n<p>[1] &#8211; https:\/\/blog.talosintelligence.com\/mustang-panda-targets-europe\/<\/p>\n\n\n\n<p>[2] &#8211; https:\/\/gblogs.cisco.com\/jp\/2022\/05\/talos-mustang-panda-targets-europe\/<\/p>\n","protected":false},"excerpt":{"rendered":"<p>AUKUS (Australia-United Kingdom-United States) is a strategic military alliance between these territories that became a reality in 2021, whose main objective is to build nuclear-powered submarines to counter the threat from China in the Indo-Pacific region. This agreement also includes the sharing of cyber capabilities and other submarine technologies. Some sources point out that this [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":1938,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[21],"tags":[63],"class_list":{"0":"post-1931","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-apt","8":"tag-mustangpanda","9":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/Image20230503174020-600x400.png","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/05\/Image20230503174020-600x600.png","author_info":{"display_name":"Dex","author_link":"https:\/\/lab52.io\/blog\/author\/dex\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/1931"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=1931"}],"version-history":[{"count":7,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/1931\/revisions"}],"predecessor-version":[{"id":1942,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/1931\/revisions\/1942"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/1938"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=1931"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=1931"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=1931"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}