This dangerous APT has expanded its skills with some new tools – here’s what we know
- Mustang Panda upgrades CoolClient backdoor with new rootkit and expanded features
- New features include clipboard monitoring, proxy credential detection, and an improved plugin ecosystem.
- Updated malware used against governments in Asia and Russia for espionage and data theft.
Chinese state-sponsored hackers Mustang Panda have enhanced one of their backdoors with new capabilities, potentially making it even more dangerous than ever.
Kaspersky security researchers recently spotted the backdoor, called CoolClient, used in an attack deploying a brand new rootkit.
Mustang Panda is a known threat actor whose activities align well with Chinese national interests: cyberespionage, data theft, and persistent access. It has a large arsenal of custom tools including backdoors, RATs, rootkits, and more, including CoolClient, a backdoor that was first seen in 2022 and is commonly deployed as a secondary backdoor, alongside PlugX and LuminousMoth.
Capturing clipboard and detecting HTTP proxy credentials
Now, even though the legacy variant was already dangerous, Mustang Panda decided to give it a facelift, Kaspersky said.
Originally, CoolClient was capable of profiling and gathering system and user details, as well as recording keystrokes. It allowed Mustang Panda to download and delete files, perform TCP tunneling and reverse listening, as well as in-memory execution. It featured different persistence mechanisms, UAC workarounds, and DLL sideloading.
Now it can monitor the clipboard and capture copied content (e.g. passwords retrieved from password managers or cryptocurrency wallet information stored elsewhere) and allows sniffing of HTTP proxy credentials. It also has an extensive plugin ecosystem, including a remote shell plugin for running interactive commands, a service management plugin, and a more capable file management plugin.
Additionally, it enables credential theft via infostealers, as well as the use of legitimate cloud services for silent exfiltration of stolen data.
Kaspersky said it had seen the updated version of the malware used in attacks against government entities in Myanmar, Mongolia, Malaysia and Pakistan. It has also been found on devices belonging to the Russian government, but this is not surprising since China has been seen before attempting to spy on its allies and partners.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
