"The campaign by the Chinese attacker, also known as "Mustang Panda," began with spearphishing emails that reached executives in diplomatic services. These emails contained the malicious .lnk files, packaged as invitations to European Commission meetings and NATO workshops. Using hidden PowerShell commands, they loaded the PlugX remote access trojan (RAT). The attack chain contains more layers than that. After executing the .lnk file, a tar archive is decrypted containing a legitimate Canon tool, including a valid digital signature."
"This is abused via DLL side-loading to execute malicious code. The RC4-encrypted PlugX file then runs in memory within the trusted Canon process. The campaign shows a tactical evolution of UNC6384, Arctic Wolf Labs notes. Whereas the group was previously active in Southeast Asia, it is now focusing on Europe. Hungary and Belgium are confirmed targets, but Serbia, Italy, and the Netherlands have also been targeted."
UNC6384, also known as Mustang Panda, targeted diplomatic and defense-related entities in the Netherlands, Belgium, Italy, Hungary, and Serbia over a two-month campaign. Attackers used spearphishing emails with malicious .lnk shortcut files disguised as European Commission and NATO meeting invitations. Executing the .lnk invoked hidden PowerShell commands that decrypted a tar archive containing a legitimately signed Canon tool, which was abused via DLL side-loading. An RC4-encrypted PlugX remote access trojan then ran in memory inside the trusted Canon process. The exploited Windows vulnerability is tracked as ZDI-CAN-25373 and lacks a Microsoft patch.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]