Security researchers from ESET have discovered a new custom backdoor they dubbed MQsTTang and attributed it to the advanced persistent threat (APT) group known as Mustang Panda.
Writing in an advisory published on March 2, 2023, ESET malware researcher, Alexandre Côté Cyr explained the new backdoor is part of an ongoing campaign the company traced back to early January.
“Unlike most of the group’s malware, MQsTTang doesn’t seem to be based on existing families or publicly available projects.”
Côté Cyr also highlighted that while Mustang Panda is known for its Korplug variants (AKA PlugX) and elaborate loading chains, MQsTTang is a relatively simpler piece of malware.
“In a departure from the group’s usual tactics, MQsTTang has only a single stage and doesn’t use any obfuscation techniques,” the malware expert wrote. It is also distributed in RAR archives that only contain a single executable.
“These archives are hosted on a web server with no associated domain name. This fact, along with the filenames, leads us to believe that the malware is spread via spear phishing.”
As the name implies, the backdoor leverages the Message Queuing Telemetry Transport (MQTT) protocol, typically used for IoT device-controllers communication, for C&C communication.
“One of MQTT’s benefits is that it hides the rest of [its] infrastructure behind a broker. Thus, the compromised machine never communicates directly with the C&C server,” Côté Cyr wrote.
Regarding targets, the researcher said Mustang Panda used the new backdoor to infect unknown entities in Australia and Bulgaria, as well as a governmental institution in Taiwan.
“However, due to the nature of the decoy filenames used, we believe that political and governmental organizations in Europe and Asia are also being targeted,” read the ESET advisory, adding that the group previously targeted organizations in the EU area.
The research comes two after the EU Agency for Cybersecurity (ENISA) released a publication warning member states against several Chinese APTs, including Mustang Panda.