The China-aligned Mustang Panda actor has been observed using a hitherto unseen custom backdoor called MQsTTang as part of an ongoing social engineering campaign that commenced in January 2023.
“Unlike most of the group’s malware, MQsTTang doesn’t seem to be based on existing families or publicly available projects,” ESET researcher Alexandre Côté Cyr said in a new report.
Attack chains orchestrated by the group have stepped up targeting of European entities in the wake of Russia’s full-scale invasion of Ukraine last year. The victimology of the current activity is unclear, but the Slovak cybersecurity company said the decoy filenames are in line with the group’s previous campaigns that target European political organizations.
That said, ESET also observed attacks against unknown entities in Bulgaria and Australia, as well as a governmental institution in Taiwan, indicating focus on Europe and Asia.
Mustang Panda has a history of using a remote access trojan dubbed PlugX for achieving its objectives, although recent intrusions have seen the group expanding its malware arsenal to include custom tools like TONEINS, TONESHELL, and PUBLOAD.
In December 2022, Avast disclosed another set of attacks aimed at government agencies and political NGOs in Myanmar that led to the exfiltration of sensitive data, including email dumps, files, court hearings, interrogation reports, and meeting transcripts, using a PlugX variant called Hodur and a Google Drive uploader utility.
What’s more, an FTP server linked to the threat actor has been found to host a variety of previously undocumented tools used to distribute malware to infected devices, including a Go-based trojan called JSX and a sophisticated backdoor referred to as HT3.
The development of MQsTTang points to a continuation of that trend, even if it’s a “barebones” single-stage backdoor sans any obfuscation techniques that allows for executing arbitrary commands received from a remote server.
However, an unusual aspect of the implant is the use of an IoT messaging protocol called MQTT for command-and-control (C2) communications, which is achieved using an open source library called QMQTT, an MQTT client for the Qt cross-platform application framework.
The initial intrusion vector for the attacks is spear-phishing, with MQTT distributed via RAR archives containing a single executable that features filenames with diplomatic themes (e.g., “PDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXE”).
“This new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the group’s other malware families,” Côté Cyr said. “However, it shows that Mustang Panda is exploring new technology stacks for its tools.”
