Pirate Panda (China): Researchers at Anomali analyzed a spear-phishing campaign targeting the Da Nang Municipality in Vietnam. The emails were sent with a malicious Excel file attached to them that, once opened, saves a non-malicious executable file named Utilman.exe and a malicious Dynamic-link Library (DLL) named mpsvc.dll in the Application Data folder. The Utilman executable is a copy of the legitimate Microsoft Windows Defender program, but if it is run from the same folder as mpsvc.dll, it will load the malicious DLL using a technique known as DLL side-loading. The malicious mpsvc.dll file is very similar to the exile-RAT and keyboy tools which were previously used by Pirate Panda. After the files are saved to disk, a shortcut to the Utilman (Windows Defender) program is created in the startup folder which will run upon the next restart of the machine, allowing it to communicate with the Command and Control (C2) server. Based on the information in the email and Excel file, it is likely that the victims work in a government-run data center. The Excel file is a falsified work schedule for the dates of April 30- May 1 which are both holidays in Vietnam. The threat actors may be trying to trick victims with these dates as schedules are likely to change around holidays.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is