New Backdoor MQsTTang Attributed to Mustang Panda Group

Security researchers from ESET have discovered a new custom backdoor they dubbed MQsTTang and attributed it to the advanced persistent threat (APT) group known as Mustang Panda.

Writing in an advisory published on March 2, 2023, ESET malware researcher, Alexandre Côté Cyr explained the new backdoor is part of an ongoing campaign the company traced back to early January.

“Unlike most of the group’s malware, MQsTTang doesn’t seem to be based on existing families or publicly available projects.”

Côté Cyr also highlighted that while Mustang Panda is known for its Korplug variants (AKA PlugX) and elaborate loading chains, MQsTTang is a relatively simpler piece of malware.

“In a departure from the group’s usual tactics, MQsTTang has only a single stage and doesn’t use any obfuscation techniques,” the malware expert wrote. It is also distributed in RAR archives that only contain a single executable.

“These archives are hosted on a web server with no associated domain name. This fact, along with the filenames, leads us to believe that the malware is spread via spear phishing.”

As the name implies, the backdoor leverages the Message Queuing Telemetry Transport (MQTT) protocol, typically used for IoT device-controllers communication, for C&C communication.

“One of MQTT’s benefits is that it hides the rest of [its] infrastructure behind a broker. Thus, the compromised machine never communicates directly with the C&C server,” Côté Cyr wrote.

Regarding targets, the researcher said Mustang Panda used the new backdoor to infect unknown entities in Australia and Bulgaria, as well as a governmental institution in Taiwan.

“However, due to the nature of the decoy filenames used, we believe that political and governmental organizations in Europe and Asia are also being targeted,” read the ESET advisory, adding that the group previously targeted organizations in the EU area.

The research comes two after the EU Agency for Cybersecurity (ENISA) released a publication warning member states against several Chinese APTs, including Mustang Panda.

Articles You May Like

Google flags apps made by popular Chinese e-commerce giant as malware
U.K. National Crime Agency Sets Up Fake DDoS-For-Hire Sites to Catch Cybercriminals
Seed Club Ventures emerges from stealth with $25M fund focused on DAOs
Aspecta nabs $3.5M to build AI-vetted coder profiles
UK Government Sets Out Vision for NHS Cybersecurity

Leave a Reply

Your email address will not be published. Required fields are marked *