Chinese ‘Mustang Panda’ Hackers Spotted Deploying New ‘Hodur’ Malware

A China-based advanced persistent threat (APT) known as
Mustang Panda has been linked to an ongoing cyberespionage
campaign using a previously undocumented variant of the PlugX^[1]
remote access trojan on infected machines.

Slovak cybersecurity firm ESET dubbed the new version
Hodur, owing to its resemblance to another PlugX (aka
Korplug) variant called THOR^[2]
that came to light in July 2021.

“Most victims are located in East and Southeast Asia, but a few
are in Europe (Greece, Cyprus, Russia) and Africa (South Africa,
South Sudan),” ESET malware researcher Alexandre Côté Cyr said^[3]
in a report shared with The Hacker News.

“Known victims include research entities, internet service
providers (ISPs), and European diplomatic missions mostly located
in East and Southeast Asia.”

Mustang Panda, also known as TA416, HoneyMyte, RedDelta, or
PKPLUG, is a cyber espionage group^[4]
that’s primarily known for targeting non-governmental organizations
with a specific focus on Mongolia.

The latest campaign, which dates back to at least August 2021,
makes use of a compromise chain featuring an ever-evolving stack of
decoy documents pertaining to the ongoing events in Europe and the
war in Ukraine.

“Other phishing lures mention updated COVID-19 travel
restrictions, an approved regional aid map for Greece, and a
Regulation of the European Parliament and of the Council,” ESET
said. “The final lure is a real document available on the European
Council’s website. This shows that the APT group behind this
campaign is following current affairs and is able to successfully
and swiftly react to them.”

Regardless of the phishing lure employed, the infections
culminate in the deployment of the Hodur backdoor on the
compromised Windows host.

“The variant used in this campaign bears many similarities to
the THOR variant, which is why we have named it Hodur,” explained.
“The similarities include the use of the Software\CLASSES\ms-pu
registry key, the same format for [command-and-control] servers in
the configuration, and use of the Static window class.”

Hodur, for its part, is equipped to handle a variety of
commands, enabling the implant to gather extensive system
information, read and write arbitrary files, execute commands, and
launch a remote cmd.exe session.

The findings from ESET line up with public disclosures from
Google’s Threat Analysis Group (TAG) and Proofpoint, both of which
detailed a Mustang Panda campaign^[5] to distribute an updated
PlugX variant earlier this month.

“The decoys used in this campaign show once more how quickly
Mustang Panda is able to react to world events,” Côté Cyr said.
“This group also demonstrates an ability to iteratively improve its
tools, including its signature use of trident downloaders to deploy
Korplug.”