Google Drive malware is targeting governments around the world
A Chinese state-sponsored threat actor known as Mustang Panda is targeting government organizations and researchers around the world with three malware variants hosted on Google Drive, Dropbox, and similar cloud storage (opens in new tab) solutions.
Trend Micro researchers recently spotted the new malware campaign, targeting mostly organizations located in Australia, Japan, Taiwan, Myanmar, and the Philippines.
Mustang Panda was initiated in March 2022 and has lasted until at least October. The attackers would create a phishing email, send it to a bogus address, while keeping the actual victim in CC. That way, the researchers assume, the attackers wanted to minimize the chances of being picked up by antivirus tools, email security solutions, and similar.
Delivering malicious archives
“The email’s subject might be empty or might have the same name as the malicious archive,” the report states. “Rather than add the victims’ addresses to the email’s “To” header, the threat actors used fake emails. Meanwhile, the real victims’ addresses were written in the “CC” header, likely to evade security analysis and slow down investigations.”
Another thing they did to avoid detection is store the malware on legitimate cloud storage solutions, in a .ZIP or .RAR file, as these platforms are usually whitelisted by security tools. However, should the victim fall for the trick, download and run the archive file, they’d be getting these three custom malware strains: PubLoad, ToneIns, and ToneShell.
PubLoad is a stager, used to download the next-stage payload from its C2 server. It also adds new registry keys and scheduled tasks to establish persistence. ToneIns is an installer for ToneShell, which is the main backdoor. While the process might sound overly complex, it works as an anti-sandbox mechanism, the researchers explained, as the backdoor won’t execute in a debugging environment.
The malware’s main job is to upload, download, and execute files. It can create shells for intranet data exchange, or change sleep configuration, among other things. The malware’s gotten a couple of new features lately, the researchers are saying, suggesting that Mustang Panda is hard at work, improving its toolkit and growing more dangerous by the day.
Via: BleepingComputer (opens in new tab)
Audio player loading… A Chinese state-sponsored threat actor known as Mustang Panda is targeting government organizations and researchers around the world with three malware variants hosted on Google Drive, Dropbox, and similar cloud storage (opens in new tab) solutions. Trend Micro researchers recently spotted the new malware campaign, targeting mostly…
Recent Posts
- Ecobee’s Smart Thermostat Premium is nearly matching its all-time low
- The 9 best early Memorial Day TV deals: up to $1,000 off 4K, QLED and OLED TVs
- iPad Pro 2024 teardown video reveals some of Apple’s internal design changes
- X-Men ‘97 didn’t have to go that hard
- Razer Fujin Pro Gaming Chair Review: Giving My Back an Extra Life
Archives
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- December 2011