The Chinese language cyber espionage hacking group Mustang Panda was seen deploying a brand new customized backdoor named ‘MQsTTang’ in assaults beginning this yr.
Mustang Panda is a sophisticated persistent risk (APT) group recognized to focus on organizations worldwide in knowledge theft assaults utilizing personalized variations of the PlugX malware. The risk actors are also referred to as TA416 and Bronze President.
Mustang Panda’s new MQsTTang backdoor malware doesn’t seem like based mostly on earlier malware, indicating the hackers probably developed it to evade detection and make attribution tougher.
ESET’s researchers found MQsTTang in a marketing campaign that began in January 2023 and remains to be ongoing. The marketing campaign targets authorities and political organizations in Europe and Asia, specializing in Taiwan and Ukraine.
The malware distribution occurs by way of spear-phishing emails, whereas the payloads are downloaded from GitHub repositories created by a person related to earlier Mustang Panda campaigns.
The malware is an executable compressed inside RAR archives, given names with a diplomacy theme, corresponding to scans of passports of members of diplomatic missions, embassy notes, and many others.
The brand new MQsTTang backdoor
ESET characterizes MQsTTang as a “barebones” backdoor that permits the risk actor to execute instructions remotely on the sufferer’s machine and obtain their output.
“This new MQsTTang backdoor supplies a type of distant shell with none of the bells and whistles related to the group’s different malware households,” reads the ESET report.
Upon launch, the malware creates a replica of itself with a command line argument that performs numerous duties, corresponding to beginning C2 communications, establishing persistence, and many others.
Persistence is established by including a brand new registry key below “HKCUSoftwareMicrosoftWindowsCurrentVersionRun,” which launches the malware at system startup. After reboot, solely the C2 communication job is executed.
An uncommon attribute of the novel backdoor is utilizing the MQTT protocol for command and management server communications.
MQTT offers the malware good resilience to C2 takedowns, hides the attacker’s infrastructure by passing all communications by way of a dealer, and makes it much less prone to be detected by defenders searching for extra generally used C2 protocols.
To evade detection, MQsTTang checks for the presence of debuggers or monitoring instruments on the host, and if any are discovered, it adjustments its habits accordingly.
One other latest Mustang Panda operation was noticed between March and October 2022 by analysts at Development Micro, who reported seeing heavy focusing on in opposition to Australian, Japanese, Taiwanese, and Philippine organizations.
In that marketing campaign, the risk group used three malware strains, particularly PubLoad, ToneIns, and ToneShell, which are not current within the 2023 marketing campaign noticed by ESET.
Whether or not or not MQsTTang turns into a part of the group’s long-term arsenal or if it was particularly developed for a particular operation stays to be seen.