In an unexpected turn of events, research has surfaced about a Chinese APT (advanced persistent threat) group targeting the Russian military in recent cyberattacks.
Tracked as Bronze President, Mustang Panda, RedDelta, and TA416, the group has focused mainly on Southeast Asian targets—and more recently, European diplomats—and turned their attention towards Russia and started targeting the country’s military situated close to the Chinese border.
Dell SecureWorks retrieved a file named Blagoveshchensk - Blagoveshchensk Border Detachment, which bears the icon of a PDF file but is actually an executable file.
From the report:
"Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This connection suggests that the filename was chosen to target officials or military personnel familiar with the region."
Once the supposed document is "opened," the executable downloads four files, including a clean document file used as a decoy (screenshot below), from a server Mustang Panda is known to use.
The document appears like a formal report from the European Commission, and it details the refugee and migrant status pressuring countries bordering Belarus.
The three additional files are required for Mustang Panda to use DLL search order hijackingto install a variant of PlugX, an old remote access tool (RAT), onto target systems. This allows threat actors to secretly load a malicious DLL, thus avoiding detection from security solutions software.
PlugX is capable of stealing sensitive information from target machines. Although this, as a whole, is a benign attack that involves intelligence gathering, it is interesting to note the shifting targets, presumably based on the political situation in Europe and what’s happening in Ukraine. Suffice to say, China continues to look out for itself and its interests, even if it involves countries it considers "strategic partners of coordination".