Security scientists from ESET have discovered a new personalized backdoor they dubbed MQsTTang and attributed it to the state-of-the-art persistent risk (APT) group acknowledged as Mustang Panda.
Composing in an advisory published on March 2, 2023, ESET malware researcher, Alexandre Côté Cyr spelled out the new backdoor is aspect of an ongoing campaign the organization traced back again to early January.
“Unlike most of the group’s malware, MQsTTang doesn’t feel to be based on current family members or publicly accessible projects.”
Côté Cyr also highlighted that while Mustang Panda is recognised for its Korplug variants (AKA PlugX) and elaborate loading chains, MQsTTang is a somewhat easier piece of malware.
“In a departure from the group’s normal strategies, MQsTTang has only a solitary stage and does not use any obfuscation procedures,” the malware specialist wrote. It is also distributed in RAR archives that only comprise a single executable.
“These archives are hosted on a web server with no related domain title. This simple fact, together with the filenames, leads us to think that the malware is spread by using spear phishing.”
As the name implies, the backdoor leverages the Information Queuing Telemetry Transport (MQTT) protocol, ordinarily utilised for IoT system-controllers conversation, for C&C communication.
“One of MQTT’s rewards is that it hides the rest of [its] infrastructure at the rear of a broker. Therefore, the compromised equipment by no means communicates right with the C&C server,” Côté Cyr wrote.
Concerning targets, the researcher said Mustang Panda utilized the new backdoor to infect unknown entities in Australia and Bulgaria, as well as a governmental establishment in Taiwan.
“However, thanks to the mother nature of the decoy filenames utilized, we consider that political and governmental companies in Europe and Asia are also being targeted,” read the ESET advisory, incorporating that the group previously focused businesses in the EU space.
The analysis will come two soon after the EU Company for Cybersecurity (ENISA) launched a publication warning member states from quite a few Chinese APTs, including Mustang Panda.
Some parts of this article are sourced from: