Current attacks draw on the war in Ukraine and other headlines in Europe. Known victims include research institutions, internet service providers (ISPs), and European diplomatic representatives based mostly in East and Southeast Asia. ESET researchers named this new Korplug variant Hodur because of its resemblance to the THOR variant documented in 2020. In Norse mythology, Hodur is Thor’s blind half-brother.
Victims of this offensive campaign are scammed with phishing documents, possibly abusing the latest events in Europe like the Russian invasion of Ukraine. The occupation led to an unprecedented crisis on Ukraine’s borders, with more than three million people fleeing the war to neighboring countries, according to UNHCR, the United Nations Refugee Agency. One of the files related to this campaign is named “Situation at the EU borders with Ukraine.exe”.
Phishing spoofs talk about updated COVID-19 travel restrictions, an approved regional aid map for Greece, and European Parliament and Council Regulations. The latest deception is a genuine document found on the Council of Europe’s website. This shows that the APT group behind this campaign follows current events and can react successfully and quickly to these events.
ESET malware researcher Alexandre Côté Cyr, who discovered Hodur, explains: “Based on code similarities and many commonalities in Tactics, Techniques and Procedures, ESET researchers believe that this campaign’s Mustang, also known as TA416, RedDelta or PKPLUG He’s sure it’s related to the Panda group, a cyber espionage group that mainly targets government agencies and NGOs.” Mustang Panda victims are mostly found in East and Southeast Asia, particularly Mongolia, but not limited to these countries. The group is also known for its campaign targeting the Vatican in 2020.
While ESET researchers were not able to identify all victims’ sectors, this campaign has the same goals as other Mustang Panda campaigns. Considering APT’s typical victim selection, most victims are located in East and Southeast Asia, with some in European and African countries. According to ESET telemetry, the vast majority of targets are in Myanmar, followed by Mongolia and Vietnam, with a few in other countries such as Greece, Cyprus, Russia, South Sudan and South Africa. The identified sectors include diplomatic representatives, research institutions and ISPs.
Mustang Panda’s campaigns often use custom installers to share malware, including Cobalt Strike, Poison Ivy, and Korplug (also known as PluxX). The group is also known to create their own Korplug variants. Côté Cyr concludes: “Compared to other campaigns using Korplug, all phases of the distribution process use analytics prevention techniques and control flow obfuscation to make investigation more difficult for us malware researchers.”