security researcher ESET discovered a new custom backdoor named MQsTTang. mustang panda.
write in Recommendation ESET malware researcher Alexandre Côté Cyr, published March 2, 2023, explained that the new backdoor is part of an ongoing campaign that the company dates back to early January.
“Unlike most of the group’s malware, MQsTTang does not appear to be based on an existing family or publicly available project.”
Côté Cyr also emphasized that while Mustang Panda is known for its Korplug variant (AKA PlugX) and elaborate loading chain, MQsTTang is relatively simple malware.
“Unlike the group’s usual tactics, MQsTTang has only one stage and does not use any obfuscation techniques,” writes the malware expert. It is also distributed in his RAR archive containing only a single executable.
“These archives are hosted on web servers with no domain name associated with them. This fact, along with the filenames, leads us to believe that the malware was spread via spear phishing.”
As the name suggests, the backdoor uses the message queuing telemetry transport (MQTT) protocol, typically used for IoT device and controller communication, C&C communication.
“One of the benefits of MQTT is that it hides the rest. [its] Infrastructure behind the broker. Therefore, a compromised machine never communicates directly with his C&C server,” wrote Côté Cyr.
Regarding targets, researchers said Mustang Panda used a new backdoor to infect unknown entities in Australia and Bulgaria, as well as government agencies in Taiwan.
“However, due to the nature of the decoy filenames used, we believe that political and governmental organizations in Europe and Asia are also being targeted,” read ESET’s advisory, noting that the group has previously worked in the EU region. It added that it was targeting organizations.
The study was conducted two after the EU Cyber Security Agency (ENISA). issued a publication Warns Member States against several Chinese APTs, including Mustang Panda.
