ESET Research has discovered a still-ongoing cyberespionage campaign using a previously undocumented Korplug variant by the Mustang Panda APT group. The current campaign exploits the war in Ukraine and other European news topics. Known victims include research entities, internet service providers (ISPs), and European diplomatic missions mostly located in East and Southeast Asia. ESET researchers named this new Korplug variant Hodur due to its resemblance to the THOR variant documented in 2020. In Norse mythology, Hodur is Thor’s blind half-brother.
Victims of this campaign are likely lured with phishing documents abusing the latest events in Europe such as Russia’s invasion of Ukraine. The invasion has resulted in more than three million residents fleeing the war to neighboring countries according to the UNHCR, leading to an unprecedented crisis on Ukraine’s borders. One of the filenames related to this campaign is “Situation at the EU borders with Ukraine.exe”.
Other phishing lures mention updated COVID-19 travel restrictions, an approved regional aid map for Greece, and a Regulation of the European Parliament and of the Council. The final lure is a real document available on the European Council’s website. This shows that the APT group behind this campaign is following current affairs and is able to successfully and swiftly react to them.
“Based on code similarities and the many commonalities in Tactics, Techniques, and Procedures, ESET researchers attribute this campaign with high confidence to Mustang Panda, also known as TA416, RedDelta, or PKPLUG. It is a cyberespionage group mainly targeting governmental entities and NGOs,” explains ESET malware researcher Alexandre Côté Cyr who discovered Hodur. Victims of Mustang Panda are mostly, but not exclusively, located in East and Southeast Asia with a focus on Mongolia. The group is also known for its campaign targeting the Vatican in 2020.
While ESET researchers haven’t been able to identify the verticals of all victims, this campaign seems to have the same targeting objectives as other Mustang Panda campaigns. Following the APT’s typical victimology, most victims are located in East and Southeast Asia, along with some in European and African countries. According to ESET telemetry the vast majority of targets are located in Mongolia and Vietnam, followed by Myanmar, with only a few in other affected countries, namely Greece, Cyprus, Russia, South Sudan, and South Africa. Identified verticals include diplomatic missions, research entities, and ISPs.
Mustang Panda’s campaigns frequently use custom loaders for shared malware including Cobalt Strike, Poison Ivy, and Korplug (also known as PlugX). The group has also been known to create its own Korplug variants. “Compared to other campaigns using Korplug, every stage of the deployment process utilizes anti-analysis techniques and control-flow obfuscation, to make the investigation more difficult for us malware researchers,” concludes Côté Cyr.