This is Part 2 of our two-part technical analysis on Mustang Panda’s new tools. For details on ToneShell and StarProxy, go to Part 1.IntroductionIn addition to the new ToneShell variants and StarProxy, Zscaler ThreatLabz discovered two new keyloggers used by Mustang Panda that we have named PAKLOG and CorKLOG as well as an EDR evasion driver (SplatCloak) on Mustang Panda’s staging server. In Part 2 of this series, we will analyze these keyloggers and the EDR evasion driver.Key TakeawaysMustang Panda continues to create new tooling in targeted attacks.PAKLOG is a keylogger that the group uses to monitor keystrokes and clipboard data and employs a custom character encoding scheme to obfuscate the log data.CorKLOG is also a keylogger deployed by Mustang Panda that uses a 48-character long RC4 key to encrypt the contents of the key logger capture file. Persistence is maintained by creating services or scheduled tasks.SplatCloak is a tool used by Mustang Panda that disables kernel-level notification callbacks for four Windows Defender-related drivers and Kaspersky drivers. The developers implemented code obfuscation techniques, including control flow flattening and mixed boolean arithmetic, to hinder analysis.Technical Analysis The technical analysis in this section focuses on the keyloggers, PAKLOG and CorKLOG, along with SplatCloak. Both PAKLOG and CorKLOG are straightforward keyloggers, but CorKLOG includes persistence mechanisms. Additionally, both keyloggers obfuscate log files to conceal their activity. SplatCloak, deployed by SplatDropper, is a Windows kernel driver designed to disable EDR-related routines implemented by Windows Defender and Kaspersky, enabling it to evade detection.PAKLOGPaklog is a keylogger that utilizes high-level Windows APIs to capture keystrokes and monitor clipboard activity. The keylogger then encodes this data and writes it to a local file. Paklog lacks built-in exfiltration capabilities, suggesting that Mustang Panda mainly uses it to collect data and leverages other methods for data exfiltration. Paklog is deployed via a RAR archive (e.g., key.rar), which contains two files: a signed, legitimate binary (PACLOUD.exe) and the malicious Paklog DLL (pa_lang2.dll). The PACLOUD.exe binary is used to sideload the Paklog DLL which starts the keylogger functionality. The sections below provide more information about Paklog.The Paklog DLL (pa_lang2.dll) includes a malicious export function named ASH_LANG2_add, which performs the
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: