The China-aligned Mustang Panda actor has been observed using a hitherto unseen custom tailgate called MQsTTang as part of an ongoing social engineering campaign that began in January 2023.
“Unlike most of the group’s malware, MQsTTang does not appear to be based on existing families or publicly available projects,” said ESET researcher Alexandre Côté Cyr in a new report.
Chains of attacks orchestrated by the group have intensified attacks against European entities in the wake of Russia’s full-scale invasion of Ukraine last year. The victimology of the current activity is unclear, but the Slovak cybersecurity company said the names of the decoy files are in line with the group’s previous campaigns targeting European political organizations.
That said, ESET also observed attacks against unknown entities in Bulgaria and Australia, as well as a government institution in Taiwan, indicating a broader focus in Europe and Asia.
Mustang Panda has a history of using a remote access Trojan dubbed PlugX to achieve its goals, though recent intrusions have seen the group expand its malware arsenal to include custom tools like TONEINS, TONASHELL, and PUBLOAD.
In December 2022, Avast revealed another set of attacks targeting government agencies and political NGOs in Myanmar that led to the leak of sensitive data, including email dumps, files, court hearings, interrogation reports, and meeting transcripts, using a PlugX variant called Hodur. and a Google Drive upload utility.
In addition, an FTP server linked to the threat actor was found to host a variety of previously undocumented tools used to distribute malware to infected devices, including a Go-based Trojan named JSX and a sophisticated backdoor named HT3.
The development of MQsTTang points to a continuation of that trend, even if it is a single-stage “barebone” backdoor without any obfuscation techniques that allow arbitrary commands received from a remote server to be executed.
However, an unusual aspect of the implant is the use of an IoT messaging protocol called MQTT for command and control (C2) communications, which is achieved using an open source library called QMQTT, an MQTT client for the cross-platform application Qt. structure.
The initial intrusion vector for attacks is spear-phishing, with MQTT distributed via RAR files containing a single executable that includes diplomatic-themed filenames (eg, “PDF_Passport and CV of diplomatic members from Tokyo from JAPAN.eXE”).
“This new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the other malware families in the group,” said Côté Cyr. “However, it does show that Mustang Panda is exploring new technologies for its tools.”
The findings come days after Symantec revealed a cyber espionage operation carried out by the Chinese state group APT41 (also known as Bario, Blackfly or Wicked Panda) targeting two subsidiaries of an Asian conglomerate in the materials and composites sector. .
