Wendesday 28 September 2022, 15:00 - 15:30
Jono Davis (PwC)
In the world of espionage-motivated threat actors – particularly those based in the Asia Pacific – it is commonplace to see bespoke tools, techniques, and procedures (TTPs) maintained and evolved over time. This kind of behaviour is elicited from the threat actor of interest for this talk: one PwC tracks as Red Dev 26, one which has been observed targeting military and defence victims in the South China Sea since early 2021, and continuing to display potential interest in neighbouring countries in August 2022.
Far from being 'another China-based threat actor' that blends into the milieu of the China nexus, however, Red Dev 26 is a threat actor that displays a real personality in its malware, using strings that serve no purpose outside of 'telling us how it really feels', occasionally even signalling to malware analysts its awareness that it is being discussed in open source under the name Mustang Panda.
This research starts from the very first observable Red Dev 26 binary, taking the audience through the evolutions that the threat actor adopts over time to ensure its TTPs are both more difficult to detect and more professional, as well as discussing potential weaknesses in the threat actor's thinking that allow us – and by extension the audience – an efficient way to track this unique threat actor. We will also analyse where open-source research has overlapped with our own, and why we have decided to keep this threat actor as its own entity and not cluster it under the Mustang Panda umbrella.
 |
Jono Davis Jonathan (Jono) Davis is a technical researcher within the PwC Global Threat Intelligence team, interested in all things malware. Despite having his focus shifted over to the Ransomware-as-a-Service (RaaS) space in recent months, Jono's passion is still firmly placed in espionage actors emanating out of the Asia Pacific, with experience in reversing binaries from threat actors based all over the continent. |