The Chinese cyberespionage group Mustang Panda, aka TA416, has seen deploying a new custom backdoor named ‘MQsTTang’ in its attacks.
Researchers discovered MQsTTang backdoor as part of a campaign targeting government and political organizations in Taiwan and Ukraine. Mustang Panda’s new backdoor malware does not appear to be based on previous malware, indicating it was developed to avoid detection.
The malware is distributed through spear-phishing emails, while the payloads are downloaded from GitHub repositories created by previous Mustang Panda campaign participants. Within it, an executable is compressed inside RAR archives, given names with a diplomatic theme, such as passport scans or embassy notes.
Once launched, the malware creates a copy of itself with a command line argument that initiates C2 communications and establishes persistence. This happens by adding a new registry key under “HKCU\Software\Microsoft\Windows\CurrentVersion\Run,” which launches the malware at system startup. After reboot, only the C2 communication task is executed.
The new backdoor uses the MQTT protocol for C2 server communications, which is unusual. The MQTT protocol makes the malware more resilient to C2 takedowns, hides the attacker’s infrastructure by passing all communications through a broker, and makes it less likely to be detected by defenders checking for more commonly used C2 protocols.
This research was documented by researchers from ESET