• Donate
    TheWindowsForum.com needs donations to stay online!
    Love TheWindowsForum.com? Then help keep it alive by sending a donation!

Chinese hackers use Google Drive to drop malware on govt networks


Our community has more than 63,000 registered members, and we'd love to have you as a member. Join us and take part in our unbiased discussions among people of all different backgrounds about Windows OS, Software, Hardware and more.


Ultimate Donator
Jun 26, 2021

Chinese hackers use Google Drive to drop malware on govt networks​

  • November 18, 2022
  • 10:24 AM
  • 0


State-backed Chinese hackers launched a spearphishing campaign to deliver custom malware stored in Google Drive to government, research, and academic organizations worldwide.
The attacks have been observed between March and October 2022 and researchers attributed it to the cyber espionage group Mustang Panda (Bronze President, TA416).
According to Trend Micro researchers, the threat group targeted mostly organizations in Australia, Japan, Taiwan, Myanmar, and the Philippines.
Heatmap of targets in latest campaign
Heatmap of targets in latest campaign (Trend Micro)
The Chinese hackers used Google accounts to send their targets email messages with lures that tricked them into downloading custom malware from Google Drive links.

Infection details​

In a report today, Trend Micro researchers say that the hackers used messages with geopolitical subjects and that most of them (84%) targeted government/legal organizations.
To bypass security mechanisms, the embedded link points to a Google Drive or Dropbox folder, both legitimate platforms with good reputation that are typically less suspicious.
These links lead to downloading compressed files (RAR, ZIP, JAR) with custom malware strains such as ToneShell, ToneIns, and PubLoad.
Mustang Panda infection process
Mustang Panda infection process (Trend Micro)
"The email's subject might be empty or might have the same name as the malicious archive," explains the report.
"Rather than add the victims' addresses to the email's "To" header, the threat actors used fake emails. Meanwhile, the real victims' addresses were written in the "CC" header, likely to evade security analysis and slow down investigations." - Trend Micro
Although the hackers used various malware loading routines, the process typically involved DLL side-loading after the victim launched an executable present in the archives. A decoy document is displayed in the foreground to minimize suspicions.
One of the infection routines
One of the infection routines used in the latest campaign (Trend Micro)

Malware evolution​

The three malware strains used in this campaign are PubLoad, ToneIns, and ToneShell.
From the three custom malware pieces used in the campaign, only PubLoad has been previously documented in a Cisco Talos report from May 2022 describing campaigns against European targets.
PubLoad is a stager responsible for creating persistence by adding registry keys and creating scheduled tasks, decrypting shellcode, and handling command and control (C2) communications.
Trend Micro says later versions of PubLoad feature more sophisticated anti-analysis mechanisms, implying that Mustang Panda is actively working on improving the tool.
ToneIns is an installer for ToneShell, the main backdoor used in the recent campaign. It uses obfuscation to evade detection and load ToneShell while also establishing persistence on the compromised system.
ToneShell is a standalone backdoor loaded directly in memory, featuring code flow obfuscation through implementation of custom exception handlers.
This also works as an anti-sandbox mechanism, as the backdoor won't execute in a debugging environment.
Data workflow of exception handling in C++
Data workflow of exception handling in C++
source: Trend Micro
After connecting to the C2, ToneShell sends a package with victim ID data and then waits for new instructions.
These commands allow uploading, downloading, and executing files, creating shells for intranet data exchange, changing sleep configuration, and more.

Mustang Panda activity​

Trend Micro says this recent campaign features the same Mustang Panda techniques, tactics, and procedures (TTPs) that Secureworks reported in September 2022.
The latest campaign shows signs of an improved toolset and capability to expand, which increases the Chinese hackers' ability to collect intelligence and breach targets.
Earlier this year, Proofpoint reported that Mustang Panda was focusing its operations in Europe, targeting high-ranking diplomats.
A Secureworks report from around the same time spotted a separate Mustang Panda campaign, this time targeting on Russian officials.
In March 2022, ESET explored Mustang Panda's operations in Southeast Asia, South Europe, and Africa, indicating that the Chinese espionage gang is a global threat despite having short-term bursts of focused activity.
Google Drive has become a haven for hackers and spammers. It's seems that Google may randomly check and ban .exe and compressed files but with no predictability or uniformity.
Excessive bandwidth use can get an account banned so it's not useful as a drop site.
In my travels Google docs are a favorite of spammers who either present the spam directly from the site or use it for a redirect. Useful for the bad guys to bypass spam filters.
Google has been tightening the belt as so many web based services have, the bottom line is a concern and the bean counters want to keep the stockholders happy and the price up. Look for contractions or eliminations of Google drive, One drive not linked to a paying 365subscription package and more of those free storage sites unless you are willing to pay a heavy price with adverts and your information shared for a price.
Goes back to my old saying, "Nothing on the Internet is free" or as my former Chilean GF used to say, "Everything has a price to pay".
While I am on a roll, my old roommate at the Uni. used to say, "If you want to dance, you gotta pay the piper" which was really cool in his heavy down easter' New England accent.