Description
[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. [Mustang Panda](https://attack.mitre.org/groups/G0129) has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Europe, Mongolia, Myanmar, Pakistan, and Vietnam, among others.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)
Techniques Used (TTPs)
- T1016 — System Network Configuration Discovery (discovery)
- T1608.001 — Upload Malware (resource-development)
- T1047 — Windows Management Instrumentation (execution)
- T1573.001 — Symmetric Cryptography (command-and-control)
- T1204.001 — Malicious Link (execution)
- T1049 — System Network Connections Discovery (discovery)
- T1059.005 — Visual Basic (execution)
- T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
- T1598.003 — Spearphishing Link (reconnaissance)
- T1564.001 — Hidden Files and Directories (defense-evasion)
- T1218.005 — Mshta (defense-evasion)
- T1585.002 — Email Accounts (resource-development)
- T1219.002 — Remote Desktop Software (command-and-control)
- T1218.004 — InstallUtil (defense-evasion)
- T1560.001 — Archive via Utility (collection)
- T1071.001 — Web Protocols (command-and-control)
- T1566.002 — Spearphishing Link (initial-access)
- T1091 — Replication Through Removable Media (lateral-movement, initial-access)
- T1059.003 — Windows Command Shell (execution)
- T1052.001 — Exfiltration over USB (exfiltration)
- T1560.003 — Archive via Custom Method (collection)
- T1070.004 — File Deletion (defense-evasion)
- T1057 — Process Discovery (discovery)
- T1082 — System Information Discovery (discovery)
- T1203 — Exploitation for Client Execution (execution)
- T1608 — Stage Capabilities (resource-development)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1083 — File and Directory Discovery (discovery)
- T1518 — Software Discovery (discovery)
- T1583.001 — Domains (resource-development)
- T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
- T1546.003 — Windows Management Instrumentation Event Subscription (privilege-escalation, persistence)
- T1003.003 — NTDS (credential-access)
- T1027 — Obfuscated Files or Information (defense-evasion)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1119 — Automated Collection (collection)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1074.001 — Local Data Staging (collection)
- T1059.001 — PowerShell (execution)
- T1027.016 — Junk Code Insertion (defense-evasion)
- T1204.002 — Malicious File (execution)
- T1036.007 — Double File Extension (defense-evasion)
- T1102 — Web Service (command-and-control)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
Total TTPs: 44
Malware & Tools
Malware: Cobalt Strike, PlugX, PoisonIvy, RCSession
Tools: NBTscan