- Mustang Panda upgrades CoolClient backdoor with new rootkit and expanded capabilities
- New features include clipboard monitoring, proxy credential sniffing, and enhanced plugin ecosystem
- Updated malware used against governments in Asia and Russia for espionage and data theft
Chinese state-sponsored hackers Mustang Panda have upgraded one of their backdoors with new capabilities, potentially making it even more dangerous than ever.
Security researchers at Kaspersky recently spotted the backdoor, called CoolClient, being used in an attack that deployed a brand-new rootkit.
Mustang Panda is a known threat actor, whose activities align perfectly with Chinese national interests: cyber-espionage, data theft, and persistent access. It has a large arsenal of custom tools, including backdoors, RATs, rootkits, and more - including CoolClient, a backdoor that was first seen in 2022 and is usually deployed as a secondary backdoor, alongside PlugX and LuminousMoth.
Clipboard capture and HTTP proxy credential sniffing
Now, even though the legacy variant was dangerous as it was, Mustang Panda decided to give it a facelift, Kaspersky said.
Originally, CoolClient was able to profile and gather system and user details, and record keystrokes. It allowed Mustang panda to upload and delete files, run TCP tunneling and reverse-prosy listening, as well as in-memory execution. It featured different persistence mechanisms, UAC bypasses, and DLL sideloading.
Now, it can monitor the clipboard and capture copied contents (for example, passwords picked up from password managers, or cryptocurrency wallet information stored elsewhere) and enables HTTP proxy credential sniffing. It also has an expanded plugin ecosystem, including a remote shell plugin for interactive command execution, a service management plugin, and a more capable file management plugin.
Furthermore, it allows for credential theft via infostealers, as well as the use of legitimate cloud services for quiet exfiltration of stolen data.
Kaspersky said it saw the updated version of the malware used in attacks against government entities in Myanmar, Mongolia, Malaysia, and Pakistan. It was also found on devices belonging to the Russian government, but that should come as no surprise since China was seen before trying to spy on its allies and partners.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
Source: TechRadar
