Research Saturday 11.23.19
Ep 112 | 11.23.19
Mustang Panda leverages Windows shortcut files.

Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:25] And now a quick word about our sponsor, Juniper Networks. NSS Labs gave Juniper its highest rating of "Recommended" in its 2019 Data Center Security Gateway Test. You get your copy of the NSS Labs report, visit or connect with Juniper on Twitter or Facebook. That's And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:00:58] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Parthiban: [00:01:38] We found this during our regular data collection.

Dave Bittner: [00:01:40] That's Parthiban. He's a security researcher with Anomali. The research we're discussing today is titled, "China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations.".

Parthiban: [00:01:54] This particular cluster of Windows shortcut files were peculiar because the Windows shortcut files were having HTA files embedded to them. So, which – basically, they are using it to download another set of malicious files from the Internet, because usually the Windows shortcut files are not used for downloading any content from the Internet. So that's how we were able to narrow it down, that there is something malicious going on here. And upon closer inspection, we were able to confirm that this particular cluster of Windows shortcut files were actually used by the threat group called "Mustang Panda."

Dave Bittner: [00:02:31] Well, can you describe for us what exactly is a Windows shortcut file and how is it normally used?

Parthiban: [00:02:37] Windows shortcut files are called LNK files. So a regular Windows shortcut file will have an extension of ".lnk". In Windows, they use it to open applications using Windows shortcut files. So, for example, a lot of people might come across these shortcut files on the Windows desktop. So they just use it to call the real application which is stored in a different location.

Dave Bittner: [00:03:03] I see. So it's a link to an actual file. Like you said, it's the kind of thing you'd put on your desktop as a shortcut to the actual executable.

Parthiban: [00:03:11] Yes.

Dave Bittner: [00:03:11] I see.

Dave Bittner: [00:03:13] Before we dig into some of the technical details here, who do you presume that Mustang Panda is targeting?

Parthiban: [00:03:20] Based on our research, we believe Mustang Panda's targets are the Chinese government's neighboring countries, as well as the countries that are involved in Belt and Road Initiative. So that is Mongolia and multiple Southeast Asian countries like Vietnam, Myanmar. We also found some other targeted countries such as Pakistan as well, because Pakistan is one of the countries very involved in Belt and Road Initiative.

Dave Bittner: [00:03:46] I see. And are there particular groups within those countries that they seem to be targeting?

Parthiban: [00:03:53] So, the specific entities that Mustang Panda targets are most of the government entities as well as non-governmental entities, non-profit groups. Mustang Panda primarily collects geopolitical intelligence. So they primarily collect intelligence from these governments that Mustang Panda's targets are.

Dave Bittner: [00:04:15] I see. Well, let's dig in and go through some of the lure documents that have been sent out here. Before we get to that, do you think that they are planting these documents via phishing, or how do you suppose folks are finding these documents on their computers?

Parthiban: [00:04:30] I don't have a definite answer to that, but I can say, like most of these APT groups, we believe the Mustang Panda should be using spearphishing emails to reach out to their targets.

Dave Bittner: [00:04:42] Well, let's go through some of these lure documents together. You gathered quite a few of them – the research here has fifteen different documents. Why don't we go through a couple of them together? What were some of the more interesting ones that you found?

Parthiban: [00:04:54] We'll start off with a particular sample that targets Vietnamese Embassy that is in China. So in this case, we believe the email has been sent to the victims who work in Embassy of Vietnam in China. So this particular document talks about two different activities. One is a military drill that is going to happen in the South China Sea. So the government is asking them not to let go any civilians or any fishermen over there. And the other one talks about China's latest icebreaking ship. So it's just a lure document, but in the background – once it is opened, in the background, a Cobalt Strike payload has been installed in the background and it's reaching out to the C2. So this is one of the samples.

Parthiban: [00:05:43] And I'll talk about the other sample that talks about United Nations Security Council. So we believe this is targeting a think tank in one of the Southeast Asian countries, but we don't have any proof which think tank it is particularly targeting. It purely based on the content of the document. So, in this case, it is very interesting because this document has been downloaded from a United Nations website. You can go to the website and you can download it. So the attackers, they are very clear in this case, they downloaded a real document and attached to the Windows shortcut file. And then even the document title shows that the real file name, which is downloaded from the UN's website. And in this case, the lure document, while the victim views the lure document, in the background, PlugX payload has been installed and it will start communicating to the C2 server.

Dave Bittner: [00:06:36] So what they're doing here is, is taking documents that their targets would likely to be interested in. They're taking the time to choose documents that they would likely want to read, that would strike their interest, and taking advantage of that – a bit of social engineering there.

Parthiban: [00:06:52] Yes, exactly. So, the targets and the lure documents are very related to each other. So it gives the attackers an advantage that the victims will definitely open it, because it is very relevant and very timely for the victims.

Dave Bittner: [00:07:08] Now, your research also describes how they've been targeting some police in Pakistan, and they were using the PlugX malware for that?

Parthiban: [00:07:15] Yes. In that case, we didn't find the initial infection. We were able to find that particular sample by pivoting off the IOCs that we were able to find in the previous infections. So in that case, that was targeted against a police department in Punjab's Sindh Province.

Dave Bittner: [00:07:33] Well, let's go through what's going on technically behind the scenes here. While I'm reading this document that they've sent as the decoy, what's going on on my machine? What tools are they using and how is it communicating with command-and-control?

Parthiban: [00:07:47] Once the victim opens the Windows shortcut file, a series of activities will happen in the background. So, for example, once the victim open a store Windows shortcut file, there is an embedded HTA script inside the Windows shortcut file, and then it opens another VBScript file. So, the VBScript file performs two different activities. So it basically opens the decoy document to the victim, as well as in the background it executes a PowerShell script that is going to download PlugX or Cobalt Strike – depends on which payload has been ingested for that particular victim. And then it's going to beacon out – in case of Cobalt Strike, it's going to download a stager, and then it's going to reach out to the command-and-control.

Parthiban: [00:08:32] In the front for the victim, the lure document will be opened, so none of the malicious activities will be shown to the user. I mean, no visible dialog boxes or any "click yes or no," since the Mustang Panda group is using Windows shortcut file. So there is no need to enable or disable macros, which by now is the most commonly used tactic. So in this case, the victim thinks that he or she did in fact open a legitimate document or a PDF file.

Dave Bittner: [00:09:04] And where is it reaching out to? What would have you learned about the C2 servers?

Parthiban: [00:09:08] There is no specific countries or regions that all the C2 servers are located. So it's all spread out across the globe, so that's about it.

Dave Bittner: [00:09:17] What sort of information does it seem like they're interested in? What are they sending back?

Parthiban: [00:09:21] In this case, a group is specifically interested on collecting intelligence from the neighboring countries or the countries involved in the Belt and Road Initiative. So at the time of research, most of the C2 servers were actually down, so we were not able to reach out to the C2 or we were not able to find what exactly it is trying to exfiltrate from the victim, because all the activity that the malicious shortcut file does is it installs the first-stage payload, and it's going to retrieve the second-level payload from the C2 server. So once the victim receives the second-level payload, it is going to perform the next set of activities.

Dave Bittner: [00:10:02] And what are your recommendations in terms of people protecting themselves against this?

Parthiban: [00:10:06] Be wary about the emails that you are opening, because the most common infection vector is the email. So please be wary about what you're opening and especially email attachments.

Dave Bittner: [00:10:19] So was this the sort of thing that antivirus would catch or endpoint protection?

Parthiban: [00:10:24] In this case, I would say no, because there is no malicious payloads or any other malicious activities embedded here. It's just a plain Windows shortcut file, and all it's going to be having is just a URL just to download the next level payload. In this case, even the next – the URL – Mustang Panda are using legitimate storage services like Google Drive, Dropbox, or publicly known storage services to retrieve their second-level payload. So the antivirus – in this case, antivirus will not be enough to help.

Dave Bittner: [00:11:01] Our thanks to Parthiban from Anomali for joining us. The research is titled, "China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations." We'll have a link in the show notes.

Dave Bittner: [00:11:13] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:11:24] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:11:32] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Kelsea Bond, Tim Nodar Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.