ESET researchers have uncovered a new backdoor malware, called MQsTTang, which has been attributed to the Mustang Panda advanced persistent threat (APT) group. The backdoor is part of a campaign that researchers can trace back to January 2023. Unlike most of the group’s malware, MQsTTang doesn’t appear to have been based on existing families or publicly available projects. It also has only one stage and doesn’t use any obfuscation techniques, in a departure from the group’s usual tactics.  

Victims in Bulgaria and Australia have been identified via telemetry, along with some evidence that the campaign is targeting a governmental institution in Taiwan. However, analysts believe that MQsTTang is also being used to target European and Asian political and governmental organizations, according to decoy filenames used in the operation. This is in line with the group’s known targeting of similar organizations in Europe, as documented by Proofpoint. 

MQTT Protocol Use

MQsTTang is a backdoor that enables cyber criminals to launch arbitrary commands on a machine. Its use of the MQTT protocol to communicate with the command and control (C&C) server is a new tactic for an APT group. The protocol is usually only used in communication between internet of things (IoT) devices and controllers. ESET believes that this protocol provides benefits, because it hides the attacker’s infrastructure behind a broker, and the compromised machine never directly contacts the C&C server. 

MQsTTang is distributed in single-executable RAR archives with names related to passports, CVs, and diplomacy. These archives are hosted on a server with no associated domain name and are possibly spread via spearphishing. The malware only checks for the presence of x64dbg and other debuggers, ignoring some potential analysis tools. If analysis tools are detected, only the C&C communication task is altered, and tasks 2–4 are skipped. ESET has observed a limited number of samples, and they have similar characteristics, except for some anti-analysis techniques found in the latest versions. 

The malware and C&C servers use two MQTT topics for their communication: iot/server2 for communication from the client to the server, and iot/v2/ for communication from the server to the client. Communication between the server and the client uses the same encoding scheme, with the MQTT payload encoding the actual content first with base64, then XORed with the hardcoded string nasa, and finally base64 encoded again. The payload’s format comprises a JSON object with a single attribute named “msg”. Upon the client’s first connection to the broker, it subscribes to its unique topic and publishes a KeepAlive message to the server’s topic every 30 seconds. The payload contains the malware’s uptime in minutes and the client’s unique topic. 

Assessment

MQsTTang’s use of the MQTT protocol and the Qt framework for malware development are uncommon tactics, which enable the malware to remain hidden. It hides behind the MQTT broker and interfaces with its infrastructure indirectly, as well as using the statically linked Qt framework to hide its network activity. Its use of decoys suggests that its targets are associated with diplomacy. These methods show that Mustang Panda is evolving its tactics, which pose a threat to organizations. As always, to prevent the spread of malware, organizations should stay vigilant against phishing attempts and install patches as soon as possible.

Source link