A Chinese cyberespionage group named Bronze President, which also goes by the name Mustang Panda, has been using a malware named PlugX to target the computers of political leaders across the Europe, West Asia, South America.
The footprint of the attack bore similarities to previous attacks by Bronze President. The Chinese espionage group imitated official diplomatic notices and lured the government officials.
This was likely conducted by Chinese government sponsored Bronze President threat group, including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically themed decoy documents that align with regions where China has interests.
PlugX is modular malware that contacts a C2 server for tasking and can download additional plugins to enhance its capability beyond basic information gathering. Embedded within RAR archive files. Upon opening the file, the user is shown a Windows shortcut (LNK) file.
Once the user clicks on the LNK file, the Plux malware is loaded, decrypted and executed in the system. Opening the mail could compromised the official.
Organisations in geographic regions of interest to China should closely monitor this group’s activities, especially organisations associated with or operating as government agencies concludes the report.
This research was documented by researchers from Secureworks Counter Threat Unit.