China-aligned APT is exploring new technology stacks for malicious tools
ESET researchers have analyzed MQsTTang, a custom backdoor that they attribute to the China-aligned Mustang Panda APT group. This backdoor is part of an ongoing campaign that ESET can trace back to early January 2023.
Execution graph showing the subprocesses and executed tasks
Researchers have seen unknown entities in Bulgaria and Australia in their telemetry as targets. They also have information indicating that Mustang Panda is targeting a governmental institution in Taiwan. Due to the nature of the decoy filenames used, researchers believe that political and governmental organizations in Europe and Asia are also being targeted. The Mustang Panda campaign is ongoing as of this writing, and the group has increased its activity in Europe since Russia invaded Ukraine.
“Unlike most of the group’s malware, MQsTTang doesn’t seem to be based on existing families or publicly available projects,” says ESET researcher Alexandre Côté Cyr, who discovered the ongoing campaign.
“This new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the group’s other malware families. However, it shows that Mustang Panda is exploring new technology stacks for its tools,” he explains. “It remains to be seen whether this backdoor will become a recurring part of their arsenal, but it is one more example of the group’s fast development and deployment cycle,” concludes Côté Cyr.
Based on their telemetry, researchers can confirm that unknown entities in Bulgaria and Australia are being targeted. In addition, a governmental institution in Taiwan appears to be a target. The victimology is unclear, but the decoy filenames make ESET believe that political and governmental organizations in Europe and Asia are also being targeted. This would also be in line with the targeting of the group’s latest campaigns.
MQsTTang is a barebones backdoor that allows the attacker to execute arbitrary commands on a victim’s machine and capture the output. The malware uses the MQTT protocol for Command-and-Control communication. MQTT is typically used for communication between IoT devices and controllers, and the protocol hasn’t been used in many publicly documented malware families.
MQsTTang is distributed in RAR archives that only contain a single executable. These executables usually have filenames related to diplomacy and passports.