Mustang Panda

OriginChina

Techniques (MITRE ATT&CK)85

SourceMITRE ATT&CK

Also known as:TA416RedDeltaBRONZE PRESIDENTSTATELY TAURUSFIREANTCAMARO DRAGONEARTH PRETAHIVE0154TWILL TYPHOONTANTALUMLUMINOUS MOTHUNC6384TEMP.HexRed LichClumsyToad

Vexday analysis

Mustang Panda é um agente de espionagem cibernética de origem chinesa com operações documentadas desde pelo menos 2012, identificado no MITRE ATT&CK como G0129. O grupo é conhecido pelo uso de iscas de phishing direcionadas e documentos-isca para entrega de cargas maliciosas, tendo como alvos organizações governamentais, diplomáticas e não governamentais — incluindo think tanks, instituições religiosas e entidades de pesquisa — nos Estados Unidos, Europa e Ásia, com atividade notável na Rússia, Mongólia, Myanmar, Paquistão e Vietnã. Rastreado também pelos aliases TA416, RedDelta, BRONZE PRESIDENT, STATELY TAURUS, FIREANT e CAMARO DRAGON, o grupo acumula 85 técnicas documentadas no MITRE ATT&CK e tem uma CVE atribuída ao seu arsenal.

Techniques (MITRE ATT&CK) 85

How the group operates, mapped to the MITRE ATT&CK matrix and organized by the phases of an attack.

Reconnaissance

Search Open Websites/Domains Spearphishing Link

Resource development

Domains Web Services Email Accounts Email Accounts Malware Tool Code Signing Certificates Digital Certificates Stage Capabilities Upload Malware

Initial access

Spearphishing Attachment Spearphishing Link

Execution

Windows Management Instrumentation Scheduled Task Command and Scripting Interpreter PowerShell Windows Command Shell Visual Basic JavaScript Software Deployment Tools Native API Shared Modules Exploitation for Client Execution Malicious Link Malicious File

Persistence

IDE Extensions Web Shell Registry Run Keys / Startup Folder

Privilege escalation

Windows Management Instrumentation Event Subscription

Credential access

OS Credential Dumping LSASS Memory NTDS DCSync Adversary-in-the-Middle

Discovery

System Network Configuration Discovery Remote System Discovery Network Service Discovery System Network Connections Discovery Process Discovery Domain Groups System Information Discovery File and Directory Discovery Domain Account Software Discovery Log Enumeration

Lateral movement

Replication Through Removable Media

Collection

Local Data Staging Automated Collection Archive via Utility Archive via Custom Method

Command and control

Protocol or Service Impersonation Web Protocols Non-Application Layer Protocol Web Service Ingress Tool Transfer IDE Tunneling Remote Desktop Software Protocol Tunneling Symmetric Cryptography

Exfiltration

Exfiltration Over C2 Channel Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration over USB Exfiltration to Cloud Storage

defense-impairment

Code Signing

stealth

Obfuscated Files or Information Dynamic API Resolution LNK Icon Smuggling Junk Code Insertion Match Legitimate Resource Name or Location Double File Extension Masquerade File Type Indicator Removal File Deletion Timestomp Deobfuscate/Decode Files or Information Traffic Signaling InstallUtil Mshta Hidden Files and Directories DLL Executable Installer File Permissions Weakness Debugger Evasion Delay Execution

Exploited vulnerabilities 1

CVEs this group is known to exploit, per MITRE ATT&CK. Ordered by real-world severity.

CVE-2017-0199HIGHEPSS 100%KEV

Mustang Panda uses real techniques and exploits real flaws. TrueHacking's AI Autonomous Pentest simulates these attacks against your infrastructure and brings more security to your application.

Explore the AI Autonomous Pentest →