Chinese advanced persistent threat operation Mustang Panda, also known as Bronze President, Earth Preta, Basin, and Red Delta, has leveraged new ToneShell backdoor variants, the novel StarProxy tool, the Paklog and Corklog keyloggers, and SplatCloak EDR bypass driver in a new attack against a Myanmar-based organization, according to SecurityWeek.
While the trio of updated ToneShell versions prioritizes payload execution and improved network-based detection evasion with a new FakeTLS command-and-control communication protocol, Mustang Panda's new StarProxy tool leverages TCP sockets for traffic proxying, a report from Zscaler ThreatLabz showed. Moreover, the Paklog keylogger facilitates local storage of gathered keystrokes while the Corklogger keylogger not only keeps information encrypted but also aims for persistence. Mustang Panda has also used the SplatDropper utility to deliver the SplatCloak driver, which enabled security software deactivation, as well as Windows API function resolution, said researchers, who noted overlaps between the new tools and the threat group's custom PlugX variant.
While the trio of updated ToneShell versions prioritizes payload execution and improved network-based detection evasion with a new FakeTLS command-and-control communication protocol, Mustang Panda's new StarProxy tool leverages TCP sockets for traffic proxying, a report from Zscaler ThreatLabz showed. Moreover, the Paklog keylogger facilitates local storage of gathered keystrokes while the Corklogger keylogger not only keeps information encrypted but also aims for persistence. Mustang Panda has also used the SplatDropper utility to deliver the SplatCloak driver, which enabled security software deactivation, as well as Windows API function resolution, said researchers, who noted overlaps between the new tools and the threat group's custom PlugX variant.
