Mustang Panda Uses New Hodur Malware

A China-based APT known as Mustang Panda is linked to an ongoing cyber-espionage campaign using PlugX trojan for remote access on infected machines.

ESET called the new version Hodur because of its resemblance to another PlugX also known as Korplug variant called THOR.

The victims are in East and Southeast Asia, few are in Europe and Africa. Victims include research institutions, Internet service providers and European diplomatic missions primarily located in East and Southeast Asia as a target

Mustang Panda, also known as TA416, HoneyMyte, RedDelta or PKPLUG, is a cyber espionage group that is best known for its targeting of non-governmental organizations with a specific focus on Mongolia.

The latest is a real document available on the European Council’s website. It shows that the APT group behind this campaign follows current events and is able to respond successfully and quickly. Though the phishing lure used, the infections culminate in the deployment of the Hodur backdoor on the compromised Windows host.

The similarities include the use of the SoftwareCLASSESms-pu registry key, the same format for C2 servers in the configuration and use of the Static window class.

Hodur, for its part, is equipped to process a variety of commands, allowing the implant to collect extensive system information, read and write arbitrary files, execute commands and start a remote cmd.exe session.

ESET’s findings are in line with public disclosures from Google’s Threat Analysis Group (TAG) and Proofpoint, both of which a Mustang Panda campaign detailed to distribute an updated PlugX variant earlier this month.

The decoys used in this campaign demonstrate how quickly the Mustang Panda can respond to world events.This group also demonstrates the ability to iteratively improve its tools, including the signature use of trident downloaders to implement Korplug.