Cado Security Labs have uncovered a malware campaign that targets the Royal Thai Police, involving the use of deceptive documents that lead to the execution of the Yokai backdoor. This activity aligns with the known methods of the Chinese APT group Mustang Panda, which has been active in targeting Thai officials. Affected: Royal Thai Police, Thai government, Chinese APT groups
Keypoints :
- Cado Security Labs identified a malware campaign against the Royal Thai Police.
- The campaign employs seemingly legitimate documents featuring FBI content.
- Malware execution is achieved through a shortcut file leading to the Yokai backdoor.
- The shared rar file is titled “Very urgent, please join the cooperation project to train the FBI course.rar”.
- Phishing emails are likely the initial delivery method for the rar file.
- The shortcut file executes ftp.exe to run commands from a disguised PDF file.
- Commands manipulate files within the system, including moving malicious executables.
- The Trojanized executable, PrnInstallerNew.exe, is designed to evade detection.
- The malware persists by creating a registry key for automatic execution.
- Geolocation checks ensure the malware operates specifically within Thailand.
- Mustang Panda has a history of targeting Thai officials and using similar intrusion techniques.
- Cyber operations in Thailand reflect heightened geopolitical tensions and competition.
MITRE Techniques :
- T1574.002 – Hijack Execution Flow: DLL Side-Loading
- T1071.001 – Application Layer Protocol: Web Protocols
- T1059.003 – Command and Scripting Interpreter: Windows Command Shell – Executes commands embedded in the fake PDF.
- T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – The malware adds itself to the registry to run at login.
- T1113 – File and Directory Discovery: File and Directory Discovery – Manipulates files in $Recycle.bin.
- T1027 – Obfuscated Files or Information – Uses dynamic API resolution to evade detection.
- T1036 – Masquerading – The malicious files are disguised as legitimate documents.
- T1560.001 – Archive Collected Data: Archive via Utility – The malware archives data movement through FTP.
- T1027.007 – Dynamic API Resolution – The malware constructs API calls dynamically.
Indicator of Compromise :
- [File Name] ด่วนมาก เชิญเข้าร่วมโครงการความร่วมมือฝึกอบรมหลักสูตร FBI.rar
- [File Name] ด่วนมาก เชิญเข้าร่วมโครงการความร่วมมือฝึกอบรมหลักสูตร FBI.docx
- [File Name] ด่วนมาก เชิญเข้าร่วมโครงการความร่วมมือฝึกอบรมหลักสูตร FBI.docx.lnk
- [File Name] PrnInstallerNew.exe
- [IP Address] 154[.]90[.]47[.]77
Full Story: https://www.cadosecurity.com/blog/chinese-apt-target-royal-thai-police-in-malware-campaign