New Backdoor MQsTTang Attributed to Mustang Panda Group

by admin 0 Comments

Security
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Security researchers from ESET have discovered a new custom backdoor they dubbed MQsTTang and attributed it to the advanced persistent threat (APT) group known as Mustang Panda.

Writing in an advisory published on March 2, 2023, ESET malware researcher, Alexandre Côté Cyr explained the new backdoor is part of an ongoing campaign the company traced back to early January.

“Unlike most of the group’s malware, MQsTTang doesn’t seem to be based on existing families or publicly available projects.”

Côté Cyr also highlighted that while Mustang Panda is known for its Korplug variants (AKA PlugX) and elaborate loading chains, MQsTTang is a relatively simpler piece of malware.

“In a departure from the group’s usual tactics, MQsTTang has only a single stage and doesn’t use any obfuscation techniques,” the malware expert wrote. It is also distributed in RAR archives that only contain a single executable.

“These archives are hosted on a web server with no associated domain name. This fact, along with the filenames, leads us to believe that the malware is spread via spear phishing.”

As the name implies, the backdoor leverages the Message Queuing Telemetry Transport (MQTT) protocol, typically used for IoT device-controllers communication, for C&C communication.

“One of MQTT’s benefits is that it hides the rest of [its] infrastructure behind a broker. Thus, the compromised machine never communicates directly with the C&C server,” Côté Cyr wrote.

Regarding targets, the researcher said Mustang Panda used the new backdoor to infect unknown entities in Australia and Bulgaria, as well as a governmental institution in Taiwan.

“However, due to the nature of the decoy filenames used, we believe that political and governmental organizations in Europe and Asia are also being targeted,” read the ESET advisory, adding that the group previously targeted organizations in the EU area.

The research comes two after the EU Agency for Cybersecurity (ENISA) released a publication warning member states against several Chinese APTs, including Mustang Panda.

This article was originally published by Infosecurity-magazine.com. Read the original article here.
Share on Facebook
Share on Twitter
Share on Pinterest
Share on LinkedIn

Products You May Like

Articles You May Like

US Congress Passes Bill to Ban TikTok
Ring to Pay Out $5.6m in Refunds After Customer Privacy Breach
Okta Warns of Unprecedented Surge in Proxy-Driven Credential Stuffing Attacks
Bitcoin scams, hacks and heists – and how to avoid them
Apache Cordova App Harness Targeted in Dependency Confusion Attack

Leave a Reply

Your email address will not be published. Required fields are marked *