Chinese Hackers Target Asian and European Entities With MQsTTang

MQsTTang: a single-stage backdoor

• The attack starts with spear-phishing emails containing links to RAR archive files hosted on a web server. 
• These files contain a single 32-bit malware executable that features names related to diplomatic matters and passports.
• When executed, the malware launches a copy of itself and executes certain tasks as per the command line argument value passed during execution. 
• It uses some anti-analysis techniques to check for known debuggers and monitoring tools and alters the behavior of tasks accordingly.

Communication with C2

• They utilize the open-source QMQTT library, an MQTT client for the Qt framework, to archive the communication. Qt framework’s large part is statically linked to the malware.
• This rarely-seen malware development helps attackers to hide their infrastructure behind a broker. It makes the network traffic seem legitimate and provides resiliency to MQsTTang’s operation without any disruption.

Campaign attribution

• Two GitHub repositories belonging to the user YanNaingOo0072022 are found to contain samples of MQsTTang. The same user was linked to another GitHub repository that was used in a previous campaign by the group.
• The latest campaign is running a publicly accessible anonymous FTP server, one of the directories of this server contains multiple Korplug loaders, archives, and tools such as JSX and HT3, that are linked to the group.
• Moreover, the network fingerprints of the latest campaign’s infrastructure are similar to that of previously known servers used by the group.

Conclusion