A Chinese language-origin Mustang Panda actor has been noticed utilizing a customized backdoor that has by no means been seen earlier than. MQsTTang As a part of an ongoing social engineering marketing campaign launched in January 2023.
ESET researcher Alexandre Côté Cyr says in a brand new report:
The assault chain orchestrated by this group has ramped up assaults focusing on European entities following final yr’s full-blown Russian invasion of Ukraine. Victims of the present marketing campaign are unknown, however the Slovak cybersecurity agency stated the decoy filename matched the group’s earlier campaigns focusing on political organizations in Europe.
That stated, ESET has additionally noticed assaults in opposition to unknown entities in Bulgaria and Australia, in addition to authorities companies in Taiwan, indicating a concentrate on Europe and Asia.
Mustang Panda has a historical past of utilizing a distant entry Trojan referred to as PlugX to attain its targets, however current intrusions have led the group to broaden its malware arsenal, together with TONEINS, TONESHELL, PUBLOAD and others. Now contains customized instruments.
In December 2022, Avast used a PlugX variant referred to as Hodur to leak delicate information equivalent to electronic mail dumps, recordsdata, court docket hearings, interrogation experiences, and assembly data to Myanmar authorities companies and political events. We now have uncovered one other collection of assaults focusing on NGOs. and Google Drive Uploader Utility.
Moreover, FTP servers linked to risk actors have beforehand been documented used to distribute malware to contaminated gadgets, together with a Go-based Trojan referred to as JSX and a complicated backdoor referred to as HT3. It seems that it hosts quite a lot of instruments that I did not find out about.
The event of MQsTTang exhibits that pattern continues, even for “naked” single-stage backdoors that don’t use obfuscation strategies that permit the execution of arbitrary instructions acquired from distant servers.
Nonetheless, an uncommon side of implants is their use of an IoT messaging protocol referred to as MQTT for command and management (C2) communication. That is achieved utilizing an open supply library referred to as QMQTT, his MQTT shopper for Qt cross-platform purposes. Framework.
The assault’s first entry vector is spear phishing, and MQTTs distributed through RAR archives include a single executable file that includes diplomatic-themed filenames (for instance, “PDF_Passport and Resume of a Tokyo Salesperson of JAPAN.eXE”).
“This new MQsTTang backdoor supplies a sort of distant shell with none of the additional performance related to different malware households from the group,” stated Côté Cyr. “Nevertheless it exhibits that the Mustang Panda is exploring a brand new tech stack for its instruments.”