- Mustang Panda upgrades CoolClient backdoor with new rootkit and extended capabilities
- New features include clipboard monitoring, proxy credential sniffing, and improved plugin ecosystem
- Updated malware used against governments in Asia and Russia for espionage and data theft
Chinese state-sponsored hackers Mustang Panda have upgraded one of their backdoors with new capabilities, potentially making it even more dangerous than ever.
Security researchers at Kaspersky recently discovered that the backdoor, called CoolClient, was used in an attack that deployed an entirely new rootkit.
Mustang Panda is a known threat actor whose activities align perfectly with Chinese national interests: cyberespionage, data theft, and persistent access. It has a large arsenal of custom tools, including backdoors, RATs, rootkits and more – including CoolClient, a backdoor first seen in 2022 that is usually deployed as a secondary backdoor alongside PlugX and LuminousMoth.
Clipboard capture and HTTP proxy credential sniffing
Now, even though the old variant was dangerous as it was, Mustang Panda decided to give it a facelift, Kaspersky said.
Originally, CoolClient was able to profile and collect system and user details and record keystrokes. It allowed Mustang panda to upload and delete files, run TCP tunneling and reverse prosy listening, and in-memory execution. It contained various persistence mechanisms, UAC bypass and DLL sideloading.
Now it can monitor the clipboard and catch copied content (for example, passwords obtained from password managers or cryptocurrency wallet information stored elsewhere) and enables sniffing of HTTP proxy credentials. It also has an expanded plugin ecosystem, including an external shell plugin for interactive command execution, a service management plugin, and a more capable file management plugin.
Furthermore, it allows for credential theft via infostealers, as well as the use of legitimate cloud services to quietly exfiltrate stolen data.
Kaspersky said it saw the updated version of the malware used in attacks against government entities in Myanmar, Mongolia, Malaysia and Pakistan. It was also found on devices belonging to the Russian government, but that should come as no surprise as China was seen before trying to spy on its allies and partners.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
