The China-aligned Mustang Panda actor has been noticed utilizing a hitherto unseen customized backdoor known as MQsTTang as a part of an ongoing social engineering marketing campaign that commenced in January 2023.
“In contrast to many of the group’s malware, MQsTTang does not appear to be primarily based on current households or publicly accessible tasks,” ESET researcher Alexandre Côté Cyr stated in a brand new report.
Assault chains orchestrated by the group have stepped up concentrating on of European entities within the wake of Russia’s full-scale invasion of Ukraine final 12 months. The victimology of the present exercise is unclear, however the Slovak cybersecurity firm stated the decoy filenames are according to the group’s earlier campaigns that concentrate on European political organizations.
That stated, ESET additionally noticed assaults in opposition to unknown entities in Bulgaria and Australia, in addition to a governmental establishment in Taiwan, indicating deal with Europe and Asia.
Mustang Panda has a historical past of utilizing a distant entry trojan dubbed PlugX for attaining its targets, though current intrusions have seen the group increasing its malware arsenal to incorporate customized instruments like TONEINS, TONESHELL, and PUBLOAD.
In December 2022, Avast disclosed one other set of assaults aimed toward authorities companies and political NGOs in Myanmar that led to the exfiltration of delicate knowledge, together with e-mail dumps, information, court docket hearings, interrogation stories, and assembly transcripts, utilizing a PlugX variant known as Hodur and a Google Drive uploader utility.
What’s extra, an FTP server linked to the risk actor has been discovered to host a wide range of beforehand undocumented instruments used to distribute malware to contaminated units, together with a Go-based trojan known as JSX and a complicated backdoor known as HT3.
The event of MQsTTang factors to a continuation of that pattern, even when it is a “barebones” single-stage backdoor sans any obfuscation methods that enables for executing arbitrary instructions acquired from a distant server.
Nonetheless, an uncommon facet of the implant is using an IoT messaging protocol known as MQTT for command-and-control (C2) communications, which is achieved utilizing an open supply library known as QMQTT, an MQTT shopper for the Qt cross-platform utility framework.
The preliminary intrusion vector for the assaults is spear-phishing, with MQTT distributed by way of RAR archives containing a single executable that options filenames with diplomatic themes (e.g., “PDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXE”).
“This new MQsTTang backdoor offers a sort of distant shell with none of the bells and whistles related to the group’s different malware households,” Côté Cyr stated. “Nonetheless, it exhibits that Mustang Panda is exploring new expertise stacks for its instruments.”
