According to cyber security researchers, state financed Chinese hackers have launched a spear phishing campaign to launch bespoke malware stored within Google Drive to international government, academic and research organisations.

The attacks were observed by researcher between March and October this year and have been attributed it to a cyber espionage operation known as Mustang Panda. The threat group is also known by the names Bronze President and TA416.

Analysts at Trend Micro uncovered that threat operators mostly targets organisations based in Australia, Taiwan, Myanmar, Japan, and in the Philippines. The hackers employed Google accounts to transmit malicious phishing messages with traps that tricked victims into downloading customised malware from dedicated Google Drive links.

Details of a malware infection

In a recent report, Trend Micro’s researchers stated that the hackers employed messages using geopolitical subjects. Over 80 per cent of the messages examined targeted legal or government organisations.

To circumnavigate security measures, the embedded links included point at a Dropbox folder or Google Drive, both authentic platforms with a solid reputation that are usually less suspicious. The links lead users to downloading compressed files that include bespoke malware strains like ToneShell, PubLoad and ToneIns.

In its report Trend Micro explained the infection process of Mustang Panda. It commented:

“The email’s subject might be empty or might have the same name as the malicious archive. Rather than add the victims’ addresses to the emails “To” header, the threat actors used fake emails. Meanwhile, the real victims’ addresses were written in the “CC” header, likely to evade security analysis and slow down investigations.”

While the hackers made use of many different malware loading routines, the infection process commonly involved DLL side-loading which took place after the target launched a specific executable that was present within the archives. However, to minimise suspicions, a decoy document was displayed for the victim in the foreground.

Malware strains adopted by the attackers

Out of the three different custom malware pieces (ToneShell, PubLoad and ToneIns) used in the attacks, only PubLoad has previously been documented. It was mentioned in a report by Cisco Talos back in May this year, that described attack campaigns aimed at targets in Europe.

PubLoad is designed to be a stager that can create persistence when it adds registry keys and creates scheduled tasks, decrypts shellcode, and handles command and control server communications.

According to Trend Micro, recent editions of PubLoad now feature far more enhanced anti-analysis mechanisms. This suggests that Mustang Panda is currently actively improving the malicious tool for greater efficiency.

ToneIns is a dedicated installer for the malware strain ToneShell, which is the standalone backdoor employed in the recent threat campaign. It utilises obfuscation to avoid detection while loading ToneShell. At the same time, it establishes persistence on the system compromised.

ToneShell is a backdoor loaded directly into memory. It uses code flow obfuscation by implementing custom exception handlers. This allows it to also thwart attempts of analysts using a sandbox, as the backdoor never executes in an environment designed for debugging.