Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

APT

MQsTTang, a new backdoor used by Mustang Panda APT against European entities

China-Linked Mustang Panda APT employed MQsTTang backdoor as part of an ongoing campaign targeting European entities. China-linked Mustang Panda APT group has been observed using a new backdoor, called MQsTTang, in attacks aimed at European entities. The hacking campaign began in January 2023, ESET researchers pointed out that the custom backdoor MQsTTang is not based on existing families […]

Mustang Panda APT employed MQsTTang backdoor

China-Linked Mustang Panda APT employed MQsTTang backdoor as part of an ongoing campaign targeting European entities.

China-linked Mustang Panda APT group has been observed using a new backdoor, called MQsTTang, in attacks aimed at European entities.

The hacking campaign began in January 2023, ESET researchers pointed out that the custom backdoor MQsTTang is not based on existing families or publicly available projects.

The researchers targeted entities in Bulgaria, Australia and a governmental institution in Taiwan. However, the decoy filenames used by the threat actors suggest that have also targeted political and governmental organizations in Europe and Asia. 

Mustang Panda is known for its customized Korplug backdoor (aka PlugX), but the recent discovery demonstrates that the group is expanding its arsenal.

Some of the attack infrastructure used in this campaign also matches the network fingerprint of infrastructure used by Mustang Panda in the past.

“One of the servers used in the current campaign was running a publicly accessible anonymous FTP server that seems to be used to stage tools and payloads. In the /pub/god directory of this server there are multiple Korplug loaders, archives, and tools that were used in previous Mustang Panda campaigns.” reads the analysis published by ESET.

MQsTTang supports common backdoor capabilities, one of its hallmarks is the use of the MQTT protocol for C&C communication. The MQTT protocol is typically used for communication between IoT devices and controllers, the experts noticed that hasn’t been used in many publicly documented malware families.

The encoding scheme used by the threat actors is the same for every communication. The MQTT message’s payload is a JSON object with a single attribute named msg. The value of this attribute is generated by first encoding in base64 the actual content, then it is XORed with the hardcoded string nasa, and base64 encoded again.

Mustang Panda APT employed MQsTTang backdoor

The backdoor is distributed in RAR archives containing only a single executable. The attackers used executables having names related to Diplomacy and passports such as “CVs Amb Officer PASSPORT Ministry Of Foreign Affairs.exe”, “Documents members of delegation diplomatic from Germany.Exe”, “PDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXE”, “Note No.18-NG-23 from Embassy of Japan.exe.”

The researchers noticed that the MQsTTang backdoor has only a single stage and doesn’t use any obfuscation techniques.

The malware maintains persistence using a specific task to create a new value qvlc set to c:\users\public\vcall.exe under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key.

“This new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the group’s other malware families. However, it shows that Mustang Panda is exploring new technology stacks for its tools.” concludes the report. “It remains to be seen whether this backdoor will become a recurring part of the group’s arsenal, but it is one more example of the group’s fast development and deployment cycle.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mustang Panda)