.png)
1 month ago
9
Source: Imaginechina Limited via Alamy Stock Photo
Chinese state hackers have been hijacking captive portal checks to deliver malware couched as Adobe software.
Google researchers have attributed the activity to an espionage group associated with Mustang Panda (aka Bronze President, Stately Taurus, TA416), which they refer to as UNC6384. The threat actor appears to have targeted Southeast Asian diplomats in particular, and other unidentified entities around the globe, between approximately March and July of this year.
Patrick Whitsell, senior security engineer for Google's Threat Intelligence Group (GTIG), reports that around two dozen victims were likely compromised. But because GTIG studied only Google Chrome users, "more [victims] were likely targeted that we did not observe, as it's entirely possible to replicate this hijackinging technique in other browser captive portals as well."
Mustang Panda's Infection Chain
The attack chain cleverly combined some staples of Chinese advanced persistent threat (APT) activity, like compromised edge devices, dynamic link library (DLL) sideloading, and the ubiquitous PlugX malware. The way it began, however, was rather uncommon.
If your device connects to a new network, or switches from one network to another, your browser will check to see whether that network is freely available to you, or if you're to be presented with a captive portal. Captive portals are those login pages that stand between you and a Wi-Fi connection, for example when you want to connect on a plane or at a hotel.
Related:African Law Enforcement Agencies Nab Cybercrime Syndicates
The trick to Mustang Panda's latest campaign was to get in between the user and that captive portal check. Google researchers believe that the hackers infected edge devices in targets' networks, which they used to intercept the check made by, in these cases, the Google Chrome browser. Through the infected edge devices, the attackers redirected users to a website they controlled.
That malicious landing page was blank, save for a notice that the user must install missing plug-ins in order to display the content of the page. Suspicious though that may have looked, the site did enjoy a valid TLS/SSL certificate issued by Let's Encrypt. That allowed users to connect via HTTPS and eliminated potential browser security warnings like the classic "Your connection is not private."
According to the Anti-Phishing Working Group (APWG), more than 90% of phishing sites nowadays employ SSL/TLS certificates, granting them unearned legitimacy. Whitsell does qualify that certificates used for malicious activity can be revoked, and that Let's Encrypt encourages users to report certificate abuse. Google Safebrowsing, he adds, blocks malicious websites regardless of whether they have a valid TLS certificate.
Related:Interpol Arrests Over 1K Cybercriminals in 'Operation Serengeti 2.0'
Users who fell for the phish ended up downloading what seemed to them an update to Adobe plug-ins. They were also shown a webpage with instructions for executing the downloaded binary around Microsoft's built-in security warning.
To further the ruse, when the executable was run, users were presented with a prompt to "Install" or "Cancel" the installation process. It was all smoke and mirrors. Neither button changed anything about the malware already running on their device.
Source: Google
Dropping PlugX
Like the malicious site, the first-stage malware, "STATICPLUGIN," enjoyed a valid code-signing certificate. This helped the malware bypass some endpoint security tools that trust files with valid signatures by default.
The organization that signed STATICPLUGIN — Chengdu Nuoxin Times Technology Co. Ltd. — has signed at least 25 known malware samples since January 2023, many tied to other Chinese-nexus APTs beside Mustang Panda. It's unclear whether the organization is compromised — utilized by attackers for code signing without its knowledge — or whether it's merely a front for various Chinese cyberespionage operations.
Related:Hacktivist Tied to Multiple Cyber Groups Sentenced to Jail
With the powers afforded by that signature, the downloader dropped a launcher, "CANONSTAGER." CANONSTAGER weaponized a number of legitimate Windows features, hiding the system calls it used with application programming interface (API) hashing, and storing resolved function addresses in Thread Local Storage (TLS) arrays. Because TLS arrays are an unconventional place to store such data, these functions were more likely to be overlooked by cybersecurity analysts and their tools. The launcher's job was to introduce the encrypted final payload: a variant of the common Chinese backdoor PlugX, tracked by Google as "SOGU.SEC."
"The combination of API hashing, TLS array usage, and executing code with window procedures and messages queues is elaborate and unconventional," Whitsell emphasizes. "It is the first time I have seen malware using these techniques together in this way to hide code and remain stealthy."
