mustang panda

CrimsonIAS – Mustang Panda Plugx New Plugin

Introduction

The Mustang Panda threat organization mainly targets non-governmental organizations in Asia-Pacific countries, and often uses shared malware such as Poison Ivy, PlugX, and Cobalt Strike payloads to gather intelligence. is a remote access tool (RAT) that uses modular plug-ins and has been used by multiple threat groups.

CrimsonIAS is a post program developed for the Delphi programming language. Ability to upload, download files and execute instructions. Although the function is relatively simple, it meets the basic requirements of the RAT and can be expanded for a second time. Unlike conventional RATs, will not actively online, but waits for the control server to connect. After analysis, we believe that the target of CrimsonIAS is:

1. The host of the public deployment service.

2. There are hosts with internal penetration components in the local area.

CrimsonIAS analysis

The latter program is a standard Win32 DLL.

By observing the DLL export table, we found that it has reflective loading characteristics.

image

The DLL cannot trigger functions through normal loading or calling exported functions. Through analysis, CrimsonIAS uses the same reflective loading section as Cobal Strike Beacon. It implements the executable code by embedding the executable code after the executable file MZ flag, modifying the normal execution process, and jumping to the reflection function. The function of the loader. Therefore, the call of this program is exactly in the form of ShellCode.

image

Therefore, the overall loading execution process of CrimsonIAS should be as follows:

crimsonias

Once the Shell Code is loaded correctly, it will start netsh.exe and open the local computer port to implement binding listening (in this case, the 80 port). (T1562.004: Impair Defenses: Disable or Modify System Firewall)

image

After analysis, the first 24 bytes of traffic constitute the command and control header. The details are as follows:

CrimsonIAS Command Protocol

image

The actual content of the protocol transmission starts from 0x18 bit

image

IOCs

3bc96b4cce0dd550eeb3a563f7ef203614e36fbbbf990726e1afd5d3dcec33e1
bde63cd5c3aefed249d2610ca2ee834bde0c0ec06193119363972e3761fb3c63
194c0f6c5001b929080d700362e8d8e8009973c82d9409094af2a7ad33506228
5021a19f439d31946e61b7529f8e930ebc9829b1ab1f2274b281b23124113cb1
306175ffc59091515a8a0b211c356843f09fcb65395decd9fe72c9807c17288a
63e144fbe0377e0c365c126d2c03ee5da215db275c5376e78187f0611234c9b0
b19fea36cb7ea1cf1663d59b6dcf51a14e207918c228b8b76f9a79ff3a8de36c
891ece4c40a7bf31f414200c8c2c31192fd159c1316012724f3013bd0ab2a68e
4b247bd390bd8a7e0e31e084bce22aaadcf84173
a3f7bac418d8e90dfffa22325b3aff489ed0ab49
f0ff88680b1fc02bd1aa945e539c3f149855b8e8
789b56dc54395e8d7431915273d90ac0d627d142
1dd24a4012681c6d9ea55a211dadd90b3bf528f9
82107e3275553da502153cbb99d8399c60fa1eb6
f5b02ab9ac9e75ce3cdeab67b44399beec1c8c8e
671af17186d9c62cbf0b355e76b9efd751e08efc
7861a071c1338041320fc6ccfc20aba7
fb3eedec702c5582fde947c0c3bcc193
7532a44542d62d66bd69d814b6225dc0
c8841ddf300ffe14e49d5ef66bd8807c
15b98357a5171f85c457d0911d737660
d6ea41df77ea674d413aae08bd717d80
4ef28ebcd23a23f17a30b76a85c1ac8e
22b7831721e199e4a05cfb2511d54749