One of China’s most notorious threat groups, Mustang Panda, has deployed the new MQsTTang backdoor in their recent attacks this year. Based on reports, the new backdoor from the Chinese-speaking threat group is based on something other than the group’s previous malware strains, such as PlugX.
This detail indicates that these threat actors have constantly been developing new malware strains that could bypass security detections and avoid threat analysis.
The MQsTTang backdoor debuted last January.
According to recent observations, the threat campaign which first used the MQsTTang backdoor occurred in January this year. Moreover, threat campaigns using this backdoor still actively target government and political organisations in Asia and Europe.
The actors primarily use spear-phishing emails to spread the backdoor. A user associated with previous Mustang Panda operations creates GitHub repositories which store the downloadable payloads.
This new malware is an executable compressed within RAR files that are given names with a diplomacy theme, such as scans of passports of members of missions, embassy notes, and more.
A separate researcher described MQsTTang as a barebones backdoor that allows its operator to run commands remotely on the targeted device and receive their instruction. Furthermore, the new backdoor provides a remote shell that does not include any features from the other malware strains used by Mustang Panda in their previous campaigns.
MQsTTang develops a copy of itself with a command line that runs different tasks, such as initiating command-and-control communications and establishing persistence upon its launch.
The malware could establish persistence by adding a new registry key, which launches the backdoor at system startup. On the other hand, the command-and-control communication activates after reboot.
The researchers explained that the feature that makes this new backdoor unique is that it uses the MQTT protocol for its C2 server. MQTT provide the strain with good defence against takedowns, obfuscates the threat actor’s infrastructure, and avoids security solutions that look for C2 protocols.
Lastly, MQsTTang reviews the targeted device to see if it has debuggers or monitoring tools on the host. The malware changes its behaviour to bypass the detection if there are present monitoring tools within its targets.
