Cloud Incident Response Blog | Cado Security

Chinese APT Target Royal Thai Police in Malware Campaign

Written by Cado Security Labs | Feb 25, 2025 2:37:02 PM

Cado Security Labs have identified a malware campaign targeting the Royal Thai Police. The campaign uses seemingly legitimate documents with FBI content to deliver a shortcut file that eventually results in Yokai backdoor being executed and persisting on the victim system. The activity observed in this campaign is consistent with the Chinese APT group Mustang Panda.

Technical Analysis

The initial file is a rar archive named ด่วนมาก เชิญเข้าร่วมโครงการความร่วมมือฝึกอบรมหลักสูตร FBI.rar (English: Very urgent, please join the cooperation project to train the FBI course.rar). While the initial access is unknown, it is highly likely to have been delivered via phishing email. Inside the rar file is a LNK (shortcut) file ด่วนมาก เชิญเข้าร่วมโครงการความร่วมมือฝึกอบรมหลักสูตร FBI.docx.lnk, disguised PDF file and folder named $Recycle.bin.

The shortcut file executes ftp.exe (File Transfer Protocol), which then processes the commands inside the disguised PDF file as a FTP script. FTP scripts are automated scripts that execute a sequence of FTP commands. 

C:\\Windows\\System32\\ftp.exe -s:"แบบตอบรับ.pdf",File size: 58880 File attribute flags: 0x00000020 Drive type: 3 Drive serial number: 0x444b74c2 Volume label:  Local path: C:\\Windows\\System32\\ftp.exe cmd arguments: -s:"แบบตอบรับ.pdf" Relative path: ..\\Windows\\System32\\ftp.exe Icon location: .\\file.docx Link target: <My Computer> C:\\Windows\\System32\\C:\Windows\System32\ftp.exe

แบบตอบรับ.pdf (english: Response form.pdf) is a fake PDF file containing Windows commands that are executed by cmd.exe. The PDF does not need to be opened by the victim, however if they do the document looks like a response form. 

 

แบบตอบรับ.pdf (english: Response form.pdf)

Commands embedded inside the fake PDF file

These commands move the docx file from the extracted $Recycle.bin folder to the main folder replacing the LNK with the decoy docx file. The “PDF” file in the extracted $Recycle.bin folder is moved to c:\programdata\PrnInstallerNew.exe and executed. 

 

Inside $Recycle.bin folder

 

Decoy docx file ด่วนมาก เชิญเข้าร่วมโครงการความร่วมมือฝึกอบรมหลักสูตร FBI.docx (english:Very urgent, please join the cooperative training project for the FBI course.docx)

 

The decoy document replaces the shortcut file after it removes itself to remove traces of the infection. The document is not malicious.

File: PrnInstallerNew.exe

MD5: 571c2e8cfcd1669cc1e196a3f8200c4e

PrnInstallerNew.exe is a 32-bit executable that is a trojanized version of PDF-XChange Driver Installer, a PDF printing software. The malware dynamically resolves calls through GetProcAddress(), storing them in a struct, to evade detection. Malware often avoids hardcoding API function names by constructing them dynamically at runtime, making detection by security tools more difficult. Instead of directly referencing functions like send(), the malware stores individual characters in an array and assembles the function name letter by letter before resolving it with GetProcAddress(). This technique helps bypass security tools, as they scan for known API names within a binary. Once the function name is constructed, it is passed to GetProcAddress(), which retrieves the function's memory address, allowing the malware to execute it indirectly without exposing API calls in their import tables. To enable persistence, the binary adds itself as a registry key “MYAccUsrSysCmd_9EBC4579851B72EE312C449C” in HKEY_CurrentUser/Software/Windows/CurrentVersion/Run; which will cause the malware to execute when the user logs in. 

Registry key added

Additionally, a mutex “MutexHelloWorldSysCmd007” is created, presumably to check for an already running instance. 

Mutex created

After dynamically resolving ws_32.dll, the Windows library for sockets, the malware connects to the IP 154[.]90[.]47[.]77 over TCP Port 443. Using the connect() function, the victim’s location is checked via IP as the malware is geo-locked to Thailand. This IP has been used in campaigns targeting Thai officials, as previously reported by Netskope.

 

As observed with Yokai backdoor, the hostname is sent to the C2 which will return commands after the validation is satisfied. 

Attribution 

The targeting of the Thai police appears to have been part of a greater campaign targeting Thai officials in the last months of last year. However, targeting of the Thai government is not new as groups, such as Chinese APT groups Mustang Panda and CerenaKeeper have been targeting Thailand for years. 

Mustang Panda are a China based APT group who have been active since at least 2014 and tend to target governments and NGOs in Asia, Europe and the United States for espionage. Recent Mustang Panda campaigns have used similar lures against governments, with similar techniques with decoy documents and shortcut files. While not observed in this campaign, Mustang Panda frequently uses DLL Sideloading to execute malicious payloads under legitimate processes, as observed in Netskope’s research. Instead of DLL Sideloading, this version instead has trojanized a legitimate application. Interestingly one of the reported binaries by Netskope contains code overlap with WispRider, a self propagating USB malware used by Mustang Panda.

 

 

Key Takeaways

The persistent targeting of Thailand by Chinese APT groups highlights the landscape of cyber espionage in Southeast Asia. As geopolitical tensions and economic competition intensify, Thailand remains a critical focal point for cyber operations aimed at intelligence gathering, political influence, and economic advantage. To mitigate these threats, organizations and government agencies must prioritize robust cybersecurity measures, threat intelligence sharing, and regional cooperation. 

 

IOCs

md5

filename

B73f59eb689214267ae2b39bd52c33c6

ด่วนมาก เชิญเข้าร่วมโครงการความร่วมมือฝึกอบรมหลักสูตร FBI.rar

0b88f13e40218fcbc9ce6e1079d45169

ด่วนมาก เชิญเข้าร่วมโครงการความร่วมมือฝึกอบรมหลักสูตร FBI.docx 

87393d765abd8255b1d2da2d8dc2bf7f

ด่วนมาก เชิญเข้าร่วมโครงการความร่วมมือฝึกอบรมหลักสูตร FBI.docx.lnk

571c2e8cfcd1669cc1e196a3f8200c4e

PrnInstallernew.exe

154[.]90[.]47[.]77

C2

 

MITRE ATTACK

ID

Technique

Technique ID

Technique Name

T1574.002

Hijack Execution Flow: DLL Side-Loading

T1071.001

Application Layer Protocol: Web Protocols

T1059.003

Command and Scripting Interpreter: Windows Command Shell

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1113

File and Directory Discovery: File and Directory Discovery

T1027

Obfuscated Files or Information

T1036

Masquerading

T1560.001

Archive Collected Data: Archive via Utility

T1027.007

Dynamic API Resolution

 

Want to learn more about the Cado Platform? Contact us to meet with a member of the team.