ESET researchers have analyzed MQsTTang, a customized backdoor that they attribute to the China-aligned Mustang Panda APT group. This backdoor is section of an ongoing marketing campaign that ESET can trace back again to early January 2023.
Execution graph demonstrating the subprocesses and executed jobs
Researchers have viewed not known entities in Bulgaria and Australia in their telemetry as targets. They also have details indicating that Mustang Panda is concentrating on a governmental establishment in Taiwan. Because of to the nature of the decoy filenames applied, scientists imagine that political and governmental companies in Europe and Asia are also being qualified. The Mustang Panda campaign is ongoing as of this writing, and the group has improved its exercise in Europe since Russia invaded Ukraine.
“Unlike most of the group’s malware, MQsTTang doesn’t feel to be centered on present households or publicly accessible projects,” suggests ESET researcher Alexandre Côté Cyr, who discovered the ongoing campaign.
“This new MQsTTang backdoor provides a kind of distant shell without having any of the bells and whistles associated with the group’s other malware people. Having said that, it displays that Mustang Panda is checking out new technology stacks for its applications,” he describes. “It continues to be to be viewed whether this backdoor will grow to be a recurring section of their arsenal, but it is just one much more example of the group’s fast advancement and deployment cycle,” concludes Côté Cyr.
Dependent on their telemetry, researchers can ensure that unknown entities in Bulgaria and Australia are being focused. In addition, a governmental institution in Taiwan seems to be a target. The victimology is unclear, but the decoy filenames make ESET feel that political and governmental companies in Europe and Asia are also getting focused. This would also be in line with the focusing on of the group’s most up-to-date strategies.
MQsTTang is a barebones backdoor that enables the attacker to execute arbitrary commands on a victim’s equipment and capture the output. The malware employs the MQTT protocol for Command-and-Handle interaction. MQTT is typically applied for conversation in between IoT equipment and controllers, and the protocol has not been used in many publicly documented malware families.
MQsTTang is distributed in RAR archives that only consist of a one executable. These executables generally have filenames relevant to diplomacy and passports.