Mustang Panda, a threat actor group, has developed new tools including two keyloggers (PAKLOG and CorKLOG) and an EDR evasion driver (SplatCloak). PAKLOG monitors keystrokes and clipboard data, using a custom encoding scheme. CorKLOG captures keystrokes, encrypts data with RC4, and establishes persistence through services or scheduled tasks. SplatCloak disables kernel-level notification callbacks for Windows Defender and Kaspersky drivers, employing obfuscation techniques like control flow flattening and mixed boolean arithmetic. Along with those tools, the group has been observed using updated versions of ToneShell and a new tool called StarProxy. ToneShell, a backdoor, now features changes in its FakeTLS C2 communication protocol and client identifier storage methods. StarProxy, a lateral movement tool, uses the FakeTLS protocol to proxy traffic and facilitate attacker communications. Author: AlienVault
Related Tags:
SplatCloak
CorKLOG
PAKLOG
T1569.002
T1573.001
NGO
TONESHELL
Myanmar
T1056.001
Associated Indicators:
88E1B73318BA2107C2E70A59064D51E4FECD37AB6175735E43ABFA8657D2CD91
CF1F057BC8CB25B2D6D0704CEF0655EA4D41EA247C51984B25635BD23C8AE109
A9B1289383FFE3EE2BD0DF96AD6918B9A7E27819E4BC10C3922D8BBD61CBD959
6C01B3D9F7929D8D18747CB6FEBA416E8702F853A303A63AE37AF38E95AF79CD
A0F42337601429FFDA00AA64B8E6102E2470B2388C132F96002F37D40F40D587
63AA30C452E4DC0AA2324CE891DA1ACFA90CE85476D2DD7AB85FF448F913AF5E
57E22A93FC31BD299871840864E82FA553E99501AF7645102D07DCEED2A8EF1A
6F3A2913A59309C6B4B38040CFB08A4E04404E6F93215FD72DBC52781D99FF29
3FA4E089BF7BF183D7E746B9EB02B852DF5673D7AB39008252E3954FC70D2CBA