Myanmar President’s Office Hacked for the Second Time

A cyber-espionage hacking gang is suspected of breaking into the Myanmar president’s office website and injecting a backdoor trojan into a customized Myanmar font package accessible for download on the home page. ESET, a Slovak security firm, discovered the attack on Wednesday, June 02, 2021. 

The software employed in the attack resembles malware strains used in previous spear-phishing efforts intended at Myanmar targets by a Chinese state-sponsored hacker outfit known as Mustang Panda, RedEcho, or Bronze President, according to researchers. 

Mustang Panda is mostly focused on non-governmental organizations (NGOs). It employs Mongolian language decoys and themes, as well as shared malware such as Poison Ivy and PlugX, to attack its targets. Their attack chain looks something like this: 

• A malicious link is disguised using the goo.gl link shortening tool and sent to a Google Drive folder.

• When you click on the Google Drive link, you’ll be taken to a zip file that contains a.Ink file disguised as a.pdf file. 

• The user is redirected to a Windows Scripting Component (.wsc) file when they open the file. This file can be found on a malicious microblogging website.

 

• A VBScript and a PowerShell script from the Twitter page are included in the.Ink file to get the fake PDF file. 

 

• A Cobalt Strike (https://know.netenrich.com/threatintel/malware/Cobalt % 20Strike) payload is created by the PowerShell script. 

• The threat actor can operate the system remotely using Cobalt Strike’s connection to the command-and-control IP address. 

Mustang Panda has a history of carefully constructed email-based attacks; for this operation, the gang appears to have modified a Myanmar Unicode font package available for download on the Myanmar presidency’s website. “In the archive, attackers added a Cobalt Strike loader [named] Acrobat.dll, that loads a Cobalt Strike shellcode,” the ESET team wrote in a Twitter thread. 

This loader, according to researchers, pings a command and control (C&C) server at 95.217.1[.]81. The loader resembled other malware copies that had previously been transmitted as file attachments in spear-phishing efforts directed at Myanmar targets.

The archives show signs of an advanced and stealthy cyber-espionage operation hidden in files named “NUG Meeting Report.zip,” “Proposed Talking Points for ASEAN-Japan Summit.rar,” “MMRS Geneva,” “2021-03-11.lnk,” and “MOHS-3-covid.rar,” even if ESET said it has yet to officially confirm Mustang Panda’s involvement beyond a doubt.

This is the second time the Myanmar president’s office has been hacked in order to launch a watering hole attack. The first incident occurred between November 2014 and May 2015, when the site was used to disseminate a version of the EvilGrab malware by another alleged Chinese cyber-espionage group.