ESET researchers have analyzed MQsTTang, a custom made backdoor that they attribute to the China-aligned Mustang Panda APT team. This backdoor is aspect of an ongoing marketing campaign that ESET can trace back to early January 2023.
Execution graph exhibiting the subprocesses and executed responsibilities
Researchers have observed not known entities in Bulgaria and Australia in their telemetry as targets. They also have info indicating that Mustang Panda is concentrating on a governmental institution in Taiwan. Due to the character of the decoy filenames applied, researchers consider that political and governmental corporations in Europe and Asia are also currently being specific. The Mustang Panda campaign is ongoing as of this producing, and the team has increased its action in Europe since Russia invaded Ukraine.
“Unlike most of the group’s malware, MQsTTang does not appear to be primarily based on existing family members or publicly accessible assignments,” states ESET researcher Alexandre Côté Cyr, who found out the ongoing campaign.
“This new MQsTTang backdoor supplies a kind of remote shell with no any of the bells and whistles linked with the group’s other malware people. Having said that, it displays that Mustang Panda is checking out new technological innovation stacks for its resources,” he describes. “It stays to be seen whether this backdoor will turn into a recurring aspect of their arsenal, but it is just one additional illustration of the group’s speedy growth and deployment cycle,” concludes Côté Cyr.
Centered on their telemetry, scientists can ensure that unknown entities in Bulgaria and Australia are currently being focused. In addition, a governmental institution in Taiwan appears to be a focus on. The victimology is unclear, but the decoy filenames make ESET believe that political and governmental companies in Europe and Asia are also being specific. This would also be in line with the targeting of the group’s most recent strategies.
MQsTTang is a barebones backdoor that makes it possible for the attacker to execute arbitrary commands on a victim’s machine and seize the output. The malware utilizes the MQTT protocol for Command-and-Management communication. MQTT is normally employed for communication concerning IoT products and controllers, and the protocol has not been applied in many publicly documented malware people.
MQsTTang is dispersed in RAR archives that only have a single executable. These executables normally have filenames connected to diplomacy and passports.