The China-linked nation-state hacking group Mustang Panda has been continuously targeting entities in Europe and Asia Pacific since at least 2020. In a recent ongoing social engineering campaign, the group has been discovered using a new custom backdoor named MQsTTang.
MQsTTang: a single-stage backdoor
According to ESET, the campaign is active since January and has been targeting political and governmental organizations in several countries, including Bulgaria, Australia, and Taiwan.
The attack starts with spear-phishing emails containing links to RAR archive files hosted on a web server.
These files contain a single 32-bit malware executable that features names related to diplomatic matters and passports.
When executed, the malware launches a copy of itself and executes certain tasks as per the command line argument value passed during execution.
It uses some anti-analysis techniques to check for known debuggers and monitoring tools and alters the behavior of tasks accordingly.
Communication with C2
After infection, attackers use the MQTT protocol for C2 communication.
They utilize the open-source QMQTT library, an MQTT client for the Qt framework, to archive the communication. Qt framework’s large part is statically linked to the malware.
This rarely-seen malware development helps attackers to hide their infrastructure behind a broker. It makes the network traffic seem legitimate and provides resiliency to MQsTTang’s operation without any disruption.
MQsTTang has been attributed to Mustang Panda due to the following reasons:
Two GitHub repositories belonging to the user YanNaingOo0072022 are found to contain samples of MQsTTang. The same user was linked to another GitHub repository that was used in a previous campaign by the group.
The latest campaign is running a publicly accessible anonymous FTP server, one of the directories of this server contains multiple Korplug loaders, archives, and tools such as JSX and HT3, that are linked to the group.
Moreover, the network fingerprints of the latest campaign’s infrastructure are similar to that of previously known servers used by the group.
Mustang Panda group is known to change and update its core toolset using existing malware, as well as develop its own custom tools from campaign to campaign. The group has consistently targeted sectors in Europe and the Asia Pacific and has increased its activity even further following the Russo-Ukrainian War. Along with that, the recent malware development highlights the level of sophistication and expertise of the group.