Mustang Panda Group Side Loading DLL



SonicWall, Capture Labs Threat Research Team; observed new activity from MUSTANG PANDA, using a unique infection chain related to the PlugX Trojan. The legitimate vulnerable binary is part of Adobe’s Suite which will load any library named “hex.dll”.

Sample 1st Layer, Static Information:

Looking at the first layer in CFF Explorer, checking for corruption. The first layer is a Win32 binary.

Command-Line Static Information:

Extracted Files From Binary:

Side-Loaded DLL: hex.dll

HTTP Network Artifacts:


Dynamic Artifacts:

Loaded Modules:

  • See hex.dll in the list.


  • Command-Line String Used: “C:\ProgramData\AAM Updatesnnk\AAM Updates.exe” 862
  • Autostart string active

Process Security:

Setting SeDebugPrivilege gives you the ability to start using hacking techniques used in malware. By default, users can debug only processes that they own. In order to debug processes owned by other users, you have to possess the SeDebugPrivilege privilege. Once this privilege is granted you gave away the farm. This allows code injection.

  • SeDebugPrivilege

CreateFile Artifacts:

  • Folder Created: AAM updatesnnk

Hex DLL Static Information

Side-Loaded DLL Exports:


The malware author tries to hide the loading of Kernel32 dll, However you can see it within a debugger. This slow loading one character at a time is needed to bypass signature filters. You can also see the junkcode between the characters of Kernel32 dll. It’s always interesting to watch how malware authors bypass signature enforcement within their shellcode.

Decryption of Shellcode:

IDA Pro View of Algorithm:

Whats inside the encrypted buffer after it’s decrypted:

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Mustang.PAN (Trojan)


Sample Hash: c56ac01b3af452fedc0447d9e0fe184d093d3fd3c6631aa8182c752463de570c

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.