Related Families: KillSomeOne, PlugX, Hodur, REDDELTA
Executive Summary
Mustang Panda was observed leveraging DOPLUGS to target entities in Asia. DOPLUGS is a custom PlugX variant.
Key Takeaways
- Mustang Panda was observed leveraging DOPLUGS to target entities in Asia.
- DOPLUGS is a customized variant of PlugX.
- Mustang Panda used spearphishing and malicious documents to deliver the malware.
- Mustang Panda is a China nexus threat actor group that has been active since at least 2012.
What is DOPLUGS?
Mustang Panda was observed leveraging DOPLUGS to target entities in Asia. Trend Micro recently reported on this activity.
Last year, Trend Micro researchers obtained a customized piece of PlugX malware that was the same malware used in the SMUGX campaign. The SMUGX campaign, which CheckPoint reported on in July 2023, focused on the threat actor’s use of the malware to target entities in Europe. Trend Micro’s discoveries indicate that the campaign was at least two prongs, with entities in Asia being targeted as well. More specifically, they noted targets in Taiwan, Vietnam, Singapore, Hong Kong, Japan, India, Malaysia, and Mongolia. The campaign was active in 2022 and 2023.
Trend Micro researchers noted the malware, dubbed DOPLUGS, was dissimilar to the commonly seen PlugX malware that uses a completed backdoor command module. Instead, the analyzed variant is used to download the more commonly seen variant. DOPLUGS also uses the KillSomeOne module, a USB worm first seen in the wild in 2020.
The threat actors leveraged spearphishing emails and malicious documents with current events-based themes to social engineer targets. The emails were embedded with a Google Drive link hosting a password-protected archive that downloaded DOPLUGS. Malicious LNK files were disguised as legitimate documents and compressed in a RAR archive. When the victim selects the LNK file, an MSI file is downloaded, and three files are dropped: a legitimate .exe file, a malicious .dll file, and a .dat file, which is the encrypted payload.
DOPLUGS is a downloader that has four backdoor commands. One command starts a CMD shell; a second split the data from the C2 with commas, a third downloads the more commonly seen type of PlugX malware, and a fourth deletes persistence. All data sent to and from the C2 is RC4 encrypted.
Who is Mustang Panda?
Mustang Panda, also known as Earth Preta, Red Delta, Basin, Camaro Dragon, HoneyMyte, Red Lich, Stately Taurus, TA416, and Bronze President, is a China nexus threat actor group. Mustang Panda has been active since at least 2012 but was first identified by CrowdStrike in 2017. Mustang Panda is known to target think tanks and NGOs with a particular interest in issues related to Mongolia. Mustang Panda heavily uses PlugX and its variants, including Hodur, REDDELTA, and DOPLUGS. They also leverage Poison Ivy as part of their arsenal.
IOCs
PolySwarm has multiple samples associated with DOPLUGS.
7c741c8bcd19990140f3fa4aa95bb195929c9429fc47f95cf4ab9fad03040f7b
b6f375d8e75c438d63c8be429ab3b6608f1adcd233c0cc939082a6d7371c09bb
88c8eb7d2a64e0f675cb2ac3da69cdf314a08a702a65c992bcb7f6d9ec15704b
d64afd9799d8de3f39a4ce99584fa67a615a667945532cfa3f702adbe27724c4
9610cbcd4561368b6612cad1693982c43c8d81b0d52bb264c5f606f2478c1c58
abd6521990e88bd18bbcba063744efe0ccac23063bb340720cc3f610d9b1c770
48e37bb7e1ac185d314f262894014e1337a3c14455cd987dd83ac220bae87b3a
74f3101e869cedb3fc6608baa21f91290bb3db41c4260efe86f9aeb7279f18a1
You can use the following CLI command to search for all DOPLUGS samples in our portal:
$ polyswarm link list -f DOPLUGS
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
