Safety researchers from ESET have found a brand new customized backdoor they dubbed MQsTTang and attributed it to the superior persistent risk (APT) group often known as Mustang Panda.
Writing in an advisory printed on March 2, 2023, ESET malware researcher, Alexandre Côté Cyr defined the brand new backdoor is a part of an ongoing marketing campaign the corporate traced again to early January.
“In contrast to many of the group’s malware, MQsTTang doesn’t appear to be based mostly on present households or publicly out there initiatives.”
Côté Cyr additionally highlighted that whereas Mustang Panda is understood for its Korplug variants (AKA PlugX) and elaborate loading chains, MQsTTang is a comparatively easier piece of malware.
“In a departure from the group’s standard techniques, MQsTTang has solely a single stage and doesn’t use any obfuscation strategies,” the malware skilled wrote. It’s also distributed in RAR archives that solely comprise a single executable.
“These archives are hosted on an online server with no related area title. This truth, together with the filenames, leads us to consider that the malware is unfold by way of spear phishing.”
Because the title implies, the backdoor leverages the Message Queuing Telemetry Transport (MQTT) protocol, usually used for IoT device-controllers communication, for C&C communication.
“One among MQTT’s advantages is that it hides the remainder of [its] infrastructure behind a dealer. Thus, the compromised machine by no means communicates immediately with the C&C server,” Côté Cyr wrote.
Relating to targets, the researcher stated Mustang Panda used the brand new backdoor to contaminate unknown entities in Australia and Bulgaria, in addition to a governmental establishment in Taiwan.
“Nevertheless, because of the nature of the decoy filenames used, we consider that political and governmental organizations in Europe and Asia are additionally being focused,” learn the ESET advisory, including that the group beforehand focused organizations within the EU space.
The analysis comes two after the EU Company for Cybersecurity (ENISA) launched a publication warning member states in opposition to a number of Chinese language APTs, together with Mustang Panda.