Targets confirmed in Bulgaria and Australia, and political and government organizations in Europe and Asia are also believed to have been targeted
Researchers of ESET, a global leader in the cybersecurity market, analyzed MQsTTang, a new custom backdoor owned by China-affiliated APT Mustang Panda group. This backdoor is part of an ongoing campaign that, according to ESET, started in early January 2023. ESET telemetry has targeted unknown parties in Bulgaria and Australia, gathering intelligence that also targets a government institution in Taiwan . Due to the nature of the decoy filenames used, ESET researchers believe that political and government organizations in Europe and Asia have also been targeted. The Mustang Panda campaign is still ongoing, and the group has ramped up activity in Europe following Russia's invasion of Ukraine.
“Unlike most of the malware in the group, MQsTTang doesn't appear to be based on existing families or already public templates,” he says. Alexandre Côté Cyr, researcher at ESET who identified the current campaign. “This new MQsTTang backdoor provides a sort of remote shell, without the advantages and disadvantages associated with the other malware types in the group. However, it shows that Mustang Panda is exploring new technology stacks for their programs,” he explains. “It remains to be seen whether this backdoor will become a recurring part of their repertoire, but it is yet another example of the rapid development and dissemination cycle of the group,” concludes Côté Cyr.
MQsTTang is a simple backdoor that allows the attacker to execute arbitrary commands on the victim's computer and capture its output. The malware uses the MQTT protocol for Command and Control communication. MQTT is typically used for communication between IoT devices and controllers, and the protocol has not been used in many publicly documented malware families. MQsTTang is distributed in RAR archives which contain a single executable. These files usually have names related to diplomacy and passports.
For more information on the techniques used by MQsTTang, see the post “MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT” su WeLiveSecurity.
