Heimdal
article featured image

Contents:

This year, the Chinese cyberespionage group Mustang Panda began deploying a new custom backdoor named ‘MQsTTang’ in attacks.

This advanced persistent threat (APT), also known as TA416 and Bronze President, targets organizations worldwide with customized versions of PlugX malware.

In January 2023, ESET researchers discovered MQsTTang as part of a campaign targeting government and political organizations in Europe and Asia, mainly Taiwan and Ukraine. Mustang Panda’s new backdoor malware does not appear to be based on previous malware, indicating it was developed to avoid detection.

The New Backdoor

The malware is distributed through spear-phishing emails, while the payloads are downloaded from GitHub repositories created by previous Mustang Panda campaign participants. Furthermore, in the malware, an executable is compressed inside RAR archives, given names with a diplomatic theme, such as passport scans, or embassy notes.

The threat actor can execute commands remotely on the victim’s machine using MQsTTang, according to ESET.

How It Works

Upon launching, the malware creates a copy of itself with a command line argument that initiates C2 communications and establishes persistence. This happens by adding a new registry key under “HKCU\Software\Microsoft\Windows\CurrentVersion\Run,” which launches the malware at system startup. After reboot, only the C2 communication task is executed.

Execution graph showing the subprocesses and executed tasks

Source

The new backdoor uses the MQTT protocol for command-and-control server communications, which is unusual. The MQTT protocol makes the malware more resilient to C2 takedowns, hides the attacker’s infrastructure by passing all communications through a broker, and makes it less likely to be detected by defenders checking for more commonly used C2 protocols.

As BleepingComputer reports, in order to evade detection MQsTTang checks for the presence of debuggers or monitoring tools on the host, and if any are found, it changes its behavior accordingly.

Analysts reported heavy targeting against Australian, Japanese, Taiwanese, and Philippine organizations between March and October 2022. ESET spotted three malware strains in that campaign, namely PubLoad, ToneIns, and ToneShell, which aren’t present in the 2023 campaign.

If you liked this article, follow us on LinkedInTwitterFacebook, and YouTube, for more cybersecurity news and topics.

Author Profile

Mihaela Popa

COMMUNICATIONS & PR OFFICER

Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE