# Panda Goes Full Global ##### How MustangPanda refuses to abandon PlugX ###### Still Hsu ----- ### whoami ###### Still Hsu / Azaka Sekai 安坂星海 Threat Intelligence Researcher @ TeamT5 Topic of interest .NET Windows Gaming & malware reverse engineering Non-binary (they/them) ----- ### Disclaimer ###### Collaborated research with Sean Sabo @ Recorded Future ----- ## History ----- ### History Lesson Time!  Polaris (better known as MustangPanda) ###### has been active since 2011.  China-based APT group  Highly interested in antique infection ###### methods via USB devices (especially post- 2019) or third-party web hosts.  Previously focused its campaigns on ###### (South) East Asian territories  Myanmar  Mongolia  Philippines  Japan  …many more ----- ### History Lesson Time!  Polaris loves using PlugX and refuses to ###### abandon it.  Various PlugX variants were developed ###### over the years  PlugX Fast  “THOR” variant  PlugDisk  PlugX + UDiskShell/USB infection ability  MiniPlug  Miniaturized/rewrite version of PlugX  we’ll get to this one later ----- ### History Lesson Time! #### So what’s new?  Expanded territory  New tech (but also not really)  Less blatant (but also not really) ----- ## Expanded Territory ----- ### Previously… ----- ### Now… ----- ## So what happened? ###### A quick rundown in ten minutes or so... ----- ### Another Brief History Lesson  Everything before...  Prepended 10-byte XOR decoding key in blobs  Used simple stack strings to avoid basic ###### detections  Late 2020  Increased XOR key length  Late 2021  Detected PlugDisk  New payload encoding scheme  Control-flow flattening obfuscation began to ###### crop up  Custom OLLVM implementation ----- ###### Earlier stackstring-only command handler ----- ###### Control-flow flattened command handler ----- ###### New payload encoding scheme ----- ### Another Brief History Lesson  Some time around mid January 2022, a ###### mysterious sample triggered our detection system.  `State_aid__Commission_approves_` ``` 2022 2027_regional_aid_map_for_Greec e.exe ```  `d404e3cd5f1c6a50f10f56f5c5b9c1e` ``` 3 ```  What did the detection flag the sample as? ###### PlugDisk ----- ###### Execution flow ----- ###### Execution flow ----- ###### Slightly modified payload encoding scheme ----- ### But hang on...  Polaris had barely specifically targeted EU ###### up until this point.  TTPs are wildly different from before.  Different payload encoding scheme  Downloader  Targets EU  Slightly different PlugX behavior ----- ### But hang on...  Slightly different PlugX behavior  Much smaller PlugX  Contains fewer command code support  HTTP headers are now almost completely ###### different from before  Hard to fully disassemble due to the level of ###### obfuscation  We now refer this variant as MiniPlug due ###### to the miniaturized nature of it ----- ### We kept observing...  Polaris continued to tamper with the ###### encoding schemes  Single-byte XOR  Single-byte XOR + appended shellcode  We’ll get back to this  Skipping X number of bytes + single ###### byte XOR  Mathematical XORs based on filesizes  Use of archive files and obscure file paths.  EU-targeted attacks continue along with ###### other campaigns and regions featuring PlugX and other custom malware ----- ### We kept observing...  The appended shellcode could be dated ###### back much earlier on in the operation that was previously attributed to Polaris back in 2018.  Code reuse -> further attributing the attack ###### to Polaris ----- ###### Self-XORing shellcode loader ----- ### We kept observing... ######  Over the last few months, they’ve continued to evolve TTPs by...  Started experimenting with more and more launchers  Started using ISOs as distribution method  Extremely frequent attacks (at least once or twice per month) ----- ###### Bundled decoy document within the PE Rotated C2 servers almost every attack ----- ### Conclusion ######  Polaris/MustangPanda is continuing to evolve their TTPs  Frequent attacks  Now carry multiple campaigns focusing on a wide variety of targets  EU-related governmental entities <-> MiniPlug  Asia-focused USB spreader/general monitoring <-> PlugDisk / PlugX Fast  Long-time operation  SEA-focused high-profile ops <-> NoFive  Perhaps another day... ----- ## THANK YOU! ###### links.azaka.fun still@teamt5.org sean.sabo@recordedfuture.com -----