Mustang Panda PlugX - 45.251.240.55 Pivot - Custom Tools, Reverse Engineering, and Threat Research

Mustang Panda PlugX - 45.251.240.55 Pivot

New Mustang Panda PlugX sample compared with prior Mustang Panda/RedDelta PlugX samples

May 17, 2021

xorhex

2-Minute Read


Family	PlugX
Threat Actor	Mustang Panda
Encrypted	589e87d4ac0a2c350e98642ac53f4940fcfec38226c16509da21bb551a8f8a36
Decrypted	dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4

Summary

On 2021-05-01 another encrypted Mustang Panda PlugX binary was uploaded to VirusTotal.

Like the other samples, this encrypted PlugX file used a 10 byte prepended XOR key (a null byte seperates the key from the encrypted contents).

10 Byte XOR Key: 0x47, 0x45, 0x48, 0x47, 0x7a, 0x67, 0x5a, 0x6e, 0x75, 0x6d

The decrypted file continues to embed shell code in the MZ header. The video below shows the decryption process and the embedded shell code at the begining of the file.

This instance of PlugX checks for XXXXXXXX at the start of the config section. The RedDelta varient uses ######## instead of 8 Xs.

Config Check

The extracted config contains values seen in prior Mustang Panda PlugX files.

{
    "config": {
        "cncs": [
            {
                "num": 1,
                "host": "45.251.240.55",
                "port": 443
            },
            {
                "num": 1,
                "host": "45.251.240.55",
                "port": 8080
            },
            {
                "num": 1,
                "host": "45.251.240.55",
                "port": 8080
            },
            {
                "num": 1,
                "host": "45.251.240.55",
                "port": 443
            }
        ],
        "mutex": "eZlapRxpEQvscgtWBqqr",
        "sleep": 1000,
        "folder": "AAM UpdatesBif"
    },
    "extracted_from_sha256": "dce920f5db90efecc7fb7a6b6399c80fc83e3f1251f160cd1295b6a4b67125d4"
}

Let’s see what other sample we have that are similar.

Using data points extracted from our sample set, I filtered down the related samples based upon the ones with a matching IP addresses. The interactive visualization below shows the related samples and any property extracted where it was used by two or more samples.

IP Pivot

Content Loading..

Click a Node to Load Details Below

We identified 40 additional PlugX samples upon expanding our pivot to include samples that also matched on these properties. Theese samples span across both the XXXXXXXX and ######## varients.

Expanded IP Pivot

Content Loading..

Click a Node to Load Details Below

This actually encompasses all of the MustangPanda/RedDetla PlugX samples I’ve in my collection at this time.

Note: I’m still building out my collection, so overtime it will be apparent which property values are worth pivoting on and which ones are not.

xorhex