A Chinese Mustang Panda attacker has been observed using a custom backdoor that has never been seen before. MQsTTang As part of an ongoing social engineering campaign launched in January 2023.
ESET researcher Alexandre Côté Cyr says in a new report:
The attack chain orchestrated by this group has ramped up attacks targeting European entities following last year’s full-blown Russian invasion of Ukraine. Victims of the current campaign are unknown, but the Slovak cybersecurity firm said the decoy filename matched the group’s previous campaigns targeting political organizations in Europe.
That said, ESET has also observed attacks against unknown entities in Bulgaria and Australia, as well as government agencies in Taiwan, indicating a focus on Europe and Asia.
Mustang Panda has a history of using a remote access Trojan called PlugX to achieve its goals, but recent intrusions have led the group to expand its malware arsenal, including TONEINS, TONESHELL, and PUBLOAD. now includes custom tools for
In December 2022, Avast used a PlugX variant called Hodur to leak sensitive data such as email dumps, files, court hearings, interrogation reports, and meeting records to Myanmar government agencies and political parties. We have uncovered another series of attacks targeting NGOs. and Google Drive Uploader utility.
Additionally, the FTP servers linked to the attackers have been used to distribute malware to infected devices, including a Go-based Trojan called JSX and a sophisticated backdoor called HT3, which has been documented so far. It turns out that it hosts various tools that weren’t.
The development of MQsTTang shows that trend continues, even for “bare” single-stage backdoors that do not use obfuscation techniques that allow the execution of arbitrary commands received from remote servers.
However, an unusual aspect of implants is their use of an IoT messaging protocol called MQTT for command and control (C2) communication. This is achieved using an open source library called QMQTT, his MQTT client for Qt cross-platform applications. Framework.
The attack’s first entry vector is spear phishing, and MQTTs distributed via RAR archives contain a single executable file featuring diplomatic-themed filenames (for example, “PDF_Passport and CVs of Tokyo of JAPAN.eXE”).
“This new MQsTTang backdoor provides a kind of remote shell without any of the extra functionality associated with other malware families from the group,” said Côté Cyr. “But this shows Mustang Panda is exploring a new tech stack of tools.”
