This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes. In April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX. Recently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files.
Also known as
BRONZE PRESIDENT, HoneyMyte, Red Lich, TEMP.HEX, BASIN, Earth Preta, TA416, Stately Taurus, LuminousMoth, Polaris, TANTALUM, Twill Typhoon.
References
- cfr.org
- crowdstrike.com
- go.crowdstrike.com
- secureworks.com
- darkreading.com
- pwc.co.uk
- pwc.co.uk
- services.google.com
- trendmicro.com
- proofpoint.com
- proofpoint.com
- unit42.paloaltonetworks.com
Actor metadata imported from Malpedia (Fraunhofer FKIE).