Chinese Mustang Panda Hackers Use CoolClient Backdoor to Spread Infostealers

Cybersecurity researchers have identified a significant evolution in the tools used by the Chinese-linked espionage group known as Mustang Panda. The group has rolled out an updated version of its CoolClient backdoor, now equipped with enhanced capabilities to steal browser login credentials and monitor clipboard content. This new variant has been observed in targeted campaigns against government organizations across several countries in Asia and beyond.

The malware, which has been associated with Mustang Panda since 2022, was recently deployed in attacks targeting entities in Myanmar, Mongolia, Malaysia, Russia, and Pakistan. In these incidents, the backdoor was distributed by compromising legitimate software from Sangfor, a Chinese firm specializing in cybersecurity and cloud infrastructure products. This marks a shift from previous methods, where attackers used DLL side-loading techniques that abused signed binaries from companies like Bitdefender and VLC Media Player.

Once installed, CoolClient performs extensive reconnaissance on the compromised system. It collects detailed information including the computer name, operating system version, RAM specifications, network data, and details about loaded driver modules. The backdoor establishes persistence through several methods, such as modifying the Windows Registry, creating new system services, and setting up scheduled tasks. It also incorporates techniques to bypass User Account Control (UAC) and escalate privileges.

The core functionality of the malware is embedded within a DLL file. When executed, it checks for the activation of several key modules: a keylogger, a clipboard stealer, and a sniffer designed to harvest credentials from HTTP proxy traffic. While earlier versions included standard features like system profiling, file operations, and TCP tunneling, the latest iteration introduces entirely new components.

A major addition is a dedicated clipboard monitoring module, which allows the attackers to capture any data a user copies and pastes. The malware can also now track the titles of active application windows, providing context about user activity. The HTTP proxy credential sniffer operates by inspecting raw network packets and extracting authentication headers. Furthermore, the plugin system supporting the backdoor has been expanded with new tools.

Operators now have access to a service management plugin for controlling Windows services, a more advanced file management plugin for operations like drive enumeration and file compression, and a remote shell plugin. This shell plugin creates a hidden command prompt process, enabling interactive command execution directly through the malware’s communication channel with its command-and-control servers.

Perhaps the most concerning development is CoolClient’s new role in deploying information-stealing malware. Researchers documented three distinct infostealer families being distributed. One variant targets Google Chrome, another focuses on Microsoft Edge, and a third, more versatile variant is designed to attack any browser built on the Chromium engine. These stealers are tasked with extracting saved login credentials from the browsers.

In another tactical shift, the attackers are now using hardcoded API tokens for legitimate public services like Google Drive to exfiltrate stolen browser data and documents. This technique helps the malicious traffic blend in with normal network activity, making detection more challenging. This activity underscores Mustang Panda’s continuous adaptation. Just last month, the group was reported using a new kernel-mode loader to deploy a variant of the ToneShell backdoor. Its persistent and high-volume threat operations have recently led Taiwan’s National Security Bureau to rank the group among the top threats to its critical infrastructure.

(Source: Bleeping Computer)