In October's Threat Thursday Live sessions, the SCYTHE team dove into the latest in threat emulation and breach simulation covering a highly relevant and active threat group: Earth Preta, also known as Mustang Panda. This group has recently been observed using new tactics, techniques, and procedures (TTPs) that we believe are critical for organizations to understand and prepare for.
New Threat Releases
Understanding Earth Preta (Mustang Panda)
In October's Threat Thursday Live session, we explored sophisticated cyberattack techniques, focusing on how adversaries exfiltrate data while evading detection. Here are the key tactics they use and how defenders can respond.
1. Bypassing Security Tools: Directly Querying the Security Center
Instead of scanning for antivirus software, the malware directly queries the Security Center, allowing it to detect and bypass security measures. This highlights the need for comprehensive endpoint protection that goes beyond signature-based detection.
2. Checking Internet Connectivity: Ensuring C2 Communication
The malware verifies the system’s internet connection by checking its public IP and pinging external destinations like Google, ensuring it can communicate with its Command and Control (C2) server.
3. Extracting Wi-Fi Credentials: No Admin Privileges Required
The malware uses netsh commands to extract Wi-Fi credentials from the system, expanding its reach into internal networks. Securing local networks is critical to preventing this type of credential theft.
4. Persistence: Modifying Run Keys and Scheduled Tasks
The malware ensures persistence by modifying the Run key and setting up a scheduled task, allowing it to survive reboots and remain undetected. Monitoring registry changes and scheduled tasks is crucial for early detection.
5. Exfiltrating Data via FTP
After collecting files, the malware archives and exfiltrates them using FTP, a less common exfiltration method. Notably, the malware used incorrect command syntax, indicating interactive control rather than automated execution—an important clue for defenders.
6. Post-Exfiltration Cleanup and C2 Check-ins
After exfiltrating data, the malware performs a C2 check-in, signaling successful communication. Monitoring network traffic for unusual external connections can help detect threats before data loss occurs.
Key Takeaways for Defenders
-
Behavioral Detection: Attackers may use non-traditional methods like FTP or interactive commands, which may bypass signature-based systems. Behavioral monitoring is crucial.
-
Manual Errors Indicate Interactive Control: Mistakes in command execution suggest that attackers are manually controlling the attack, not automating it.
-
Persistence Monitoring: Track changes to registry keys and scheduled tasks to detect and block persistence mechanisms.
-
Protect Wi-Fi Credentials: Ensure local networks and stored credentials are secured to prevent unauthorized access.
-
Early Detection of C2 and Exfiltration: Look for signs of C2 check-ins and FTP exfiltration to identify the attack early and prevent further data loss.
Watch Threat Thursday below.
REGISTER: for all upcoming workshops and Threat Thursday Live
Register today! 🦄
