Social engineering, exfiltration and espionage activities by Chinese hackers unveiled

Reports uncover recent activities by Chinese state-sponsored threat groups

Chinese hackers are known for their ability to hide in systems while silently exfiltrating data, and for their speed in exploiting new vulnerabilities and topical events.

These characteristics are in evidence in a slew of recent reports from cybersecurity vendors.

Mustang Panda

The war in Ukraine has been used as a lure in phishing attempts by state-backed actor Mustang Panda, reports Cisco Talos. Advanced persistent threat (APT) group Mustang Panda, also known as TA416, RedDelta and Bronze President, has previously used issues such as international summits and the pandemic as a lure in its social engineering attempts, and has recently been observed attacking targets in Ukraine, Russia, the US, Myanmar, Hong Kong, Japan, Taiwan, Tibet, Afghanistan and India using infected official-looking documents.

Mustang Panda typically deploys PlugX, a backdoor downloaded to victim's devices that allows the group permanent access to infected systems, but it has recently been changing its methods, Talos says:

"Apart from Mustang Panda's tool of choice, PlugX, we've observed a steady increase in the use of intermediate payloads such as a variety of stagers and reverse shells. The group has also continuously evolved its delivery mechanisms consisting of maldocs, shortcut files, malicious archives and more recently seen downloaders starting with 2022."

It continues: "Mustang Panda is a highly motivated APT group relying primarily on the use of topical lures and social engineering to trick victims into infecting themselves."

Moshen Dragon

Another 'Chinese-aligned' hacking group Moshen Dragon (aka or related to Nomad Panda and RedFoxtrot) also makes use of PlugX to retain access, according to security vendor SentinelOne.

This threat actor, which has recently attacked telecoms systems in Central Asia, also makes use of the more advanced ShadowPad malware, which was the primary backdoor for espionage operations in multiple campaigns, including the CCleaner, NetSarang and ASUS supply-chain attacks.

"PlugX and ShadowPad have a well-established history of use among Chinese-speaking threat actors primarily for espionage activity. Those tools have flexible, modular functionality and are compiled via shellcode to easily bypass traditional endpoint protection products," the post states.

The group hijacks security software from Kaspersky, Symantec, Trend Micro and others to deliver ShadowPad and other malware, after which it moves laterally through infected systems and creates a persistent presence. However, says SentinelOne, the issue is a Windows flaw rather than being the fault of the security vendors.

"Rather than criticise any of these products for their abuse by an insistent threat actor, we remind readers that this attack vector reflects an age-old design flaw in the Windows Operating System that allows DLL search order hijacking."

Winnti

Meanwhile, Cybereason reports activity by Winnti (APT41, Axiom, Barium, Bronze Atlas), in which the prominent state-sponsored threat actor has apparently been lying low been silently syphoning data for years.

Cybereason dubs the attack 'Operation CuckooBees' and says targets include manufacturing companies in Europe, Asia and the US, targeting sensitive IP.

However, the attack involves multiple phases and is extremely effective at evading detection, making it impossible to know how many organisations might be affected, the company says.

"Winnti malware [includes] digitally signed kernel-level rootkits as well as an elaborate multi-stage infection chain that enabled the operation to remain undetected since at least 2019."

These stealthy state-backed activities pose a serious long-term risk, argues Cybereason.

"Cyber espionage doesn't usually generate the same degree of panic or media attention as other cyberattacks, but the lack of attention doesn't make it any less dangerous. A malicious campaign that silently steals intellectual property for years is exceptionally costly and may have repercussions for years to come."

Join us at the CyberSecurity Festival 2022, taking place across 3 days in June, where we will come together to learn, collaborate and tackle the biggest technology security challenges. Find out more and register for free.