.jpg)
Source: Wirestock, Inc. via Alamy Stock Photo
If you knew only two things about China's state-sponsored advanced persistent threat (APT) Mustang Panda (aka TA416, Bronze President, Stately Taurus), they would probably be, first, that it frequently shifts its tactics, techniques, and procedures (TTPs), and second, that its focus is solely on geopolitical espionage.
But Mustang Panda seems to have diverged from that target and has trained its sights on India's banking sector.
Square that with its most newly discovered campaign, which employs no interesting TTPs, and though partly focused against American and Korean public policy circles, is aimed largely at financial organizations in India. Despite the differences, researchers at Acronis believe this string of activity belongs to Mustang Panda, thanks to shared code, operational patterns, and more.
Mustang Panda's Attack Chain
The spear-phishing Mustang Panda has been performing ranges from halfway convincing to totally uninspired. Messages sent to targets in India seem to be disguised as basic IT help desk issues, though the researchers lacked any window into whatever email or text messages victims might have received.
Related:6-Year Ransomware Campaign Targets Turkish Homes & SMBs
While investigating the attacks in India, the researchers also found that the threat actor was also running a Google account impersonating the American political scientist Victor Cha. Cha, formerly the director for Asian affairs for the National Security Council (NSC) during the George W. Bush administration, remains a highly influential figure on North Korea and South Korea, and Indo-Pacific security more generally. The threat actors used a headshot of Cha, and a generically faked email address — [email protected] — to target individuals involved in the US-Korea diplomatic community and policy circles.
By one means or another, in India, Korea, or the US, victims were prompted to open a malicious file. Viewing the file triggered a stereotypically Chinese dynamic link library (DLL) sideloading attack. After persistence was established via the Windows Registry, victims were rewarded with a variant of LotusLite, a backdoor built and maintained by this particular threat cluster within Mustang Panda, which it uses to establish shells, access files, and perform other remote operations for espionage.
This latest variant of LotusLite featured some minor edits to slightly more easily evade cybersecurity detection tools, nothing more. It was also superficially disguised to mimic legitimate banking software in the region where many of its targets were based. In a pop-up window message and an internal code function, the program used the name "HDFC Bank," referring to the largest private bank in the largest country in the world. It appears that the Korean and American targets of this campaign also received the ostensibly India-oriented malware.
Related:Fraud Rockets Higher in Mobile-First Latin America
Why Lazy TTPs Still Work
Mustang Panda's tradecraft may be stale, but it's not unique in that respect. "A significant portion of nation-state activity relies on simple, well-understood techniques executed with discipline," says Santiago Pontiroli, team lead for the Acronis Threat Research Unit (TRU). "Organizations that focus only on advanced or novel threats risk leaving themselves exposed to exactly this kind of campaign."
The group's evident laziness is understandable, he argues. "Even in environments with formal security programs, these techniques persist because basic controls are often inconsistently implemented. Most organizations, regardless of geography, still struggle with the fundamentals: maintaining visibility into endpoint activity, monitoring for unsigned or improperly loaded DLLs, and detecting abuse of legitimate signed binaries."
Investing less in remarkable new tools and techniques doesn't just save on time and effort in the short term, it also allows threat actors more flexibility in the long term. "It lowers development overhead and keeps tooling disposable. When a campaign is exposed, they can rotate minor indicators, swap the lure, and redeploy quickly. They are not investing in sophistication because they do not need to," Pontrioli explains.
Related:Bank Trojan 'Casbaneiro' Worms Through Latin America
China Spies on Indian Banks
Though the Korean policy-related targeting is more neatly up its alley, Mustang Panda's attacks against India's financial sector are also almost certainly motivated by intelligence gathering, not financial gain.
Pontrioli notes, "We did not observe LotusLite capabilities typically associated with banking malware, such as credential harvesting or payment interception. So the question is not 'Why target a bank for theft?' but 'Why target it for intelligence?'"
To that question, he answers, "India's banking sector, particularly institutions like HDFC Bank, sits at the intersection of several strategic intelligence interests. Financial institutions have visibility into cross-border transactions, government-linked accounts, infrastructure financing, and trade flows, all of which are valuable to a state-aligned actor. Access to this type of data can provide insight into capital movement, economic relationships, and internal policy direction."
He adds, "It may also support broader reconnaissance objectives, such as mapping critical infrastructure or expanding collection beyond traditional government and diplomatic targets."
_NicoElNino_Alamy.png?width=1280&auto=webp&quality=80&disable=upscale)
.jpeg)
