Security researchers from ESET have identified a new customized backdoor they dubbed MQsTTang and attributed it to the sophisticated persistent danger (APT) group recognized as Mustang Panda.
Writing in an advisory published on March 2, 2023, ESET malware researcher, Alexandre Côté Cyr explained the new backdoor is element of an ongoing marketing campaign the company traced back to early January.
“Unlike most of the group’s malware, MQsTTang doesn’t feel to be based on current families or publicly out there projects.”
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
Côté Cyr also highlighted that while Mustang Panda is known for its Korplug variants (AKA PlugX) and elaborate loading chains, MQsTTang is a fairly less complicated piece of malware.
“In a departure from the group’s normal tactics, MQsTTang has only a solitary phase and doesn’t use any obfuscation techniques,” the malware expert wrote. It is also dispersed in RAR archives that only contain a single executable.
“These archives are hosted on a web server with no affiliated domain name. This truth, along with the filenames, leads us to feel that the malware is spread by using spear phishing.”
As the name implies, the backdoor leverages the Concept Queuing Telemetry Transportation (MQTT) protocol, ordinarily made use of for IoT machine-controllers conversation, for C&C interaction.
“One of MQTT’s positive aspects is that it hides the rest of [its] infrastructure guiding a broker. Therefore, the compromised machine hardly ever communicates right with the C&C server,” Côté Cyr wrote.
Concerning targets, the researcher mentioned Mustang Panda employed the new backdoor to infect mysterious entities in Australia and Bulgaria, as nicely as a governmental institution in Taiwan.
“However, due to the character of the decoy filenames utilized, we believe that that political and governmental businesses in Europe and Asia are also becoming targeted,” read the ESET advisory, introducing that the team formerly qualified businesses in the EU location.
The exploration comes two after the EU Company for Cybersecurity (ENISA) produced a publication warning member states towards quite a few Chinese APTs, including Mustang Panda.
Some pieces of this posting are sourced from:
www.infosecurity-magazine.com