Jump to content
  • Chinese hackers use new custom backdoor to evade detection

    alf9872000

    • 448 views
    • 3 minutes
     Share


    • 448 views
    • 3 minutes

    The Chinese cyber espionage hacking group Mustang Panda was seen deploying a new custom backdoor named 'MQsTTang' in attacks starting this year.

     

    Mustang Panda is an advanced persistent threat (APT) group known to target organizations worldwide in data theft attacks using customized versions of the PlugX malware. The threat actors are also known as TA416 and Bronze President.

     

    Mustang Panda's new MQsTTang backdoor malware does not appear to be based on previous malware, indicating the hackers likely developed it to evade detection and make attribution harder.

     

    ESET's researchers discovered MQsTTang in a campaign that started in January 2023 and is still ongoing. The campaign targets government and political organizations in Europe and Asia, focusing on Taiwan and Ukraine.

     

    targets.png

    Latest campaign targets heatmap (ESET)

     

    The malware distribution happens through spear-phishing emails, while the payloads are downloaded from GitHub repositories created by a user associated with previous Mustang Panda campaigns.

     

    The malware is an executable compressed inside RAR archives, given names with a diplomacy theme, such as scans of passports of members of diplomatic missions, embassy notes, etc.

    The new MQsTTang backdoor

    ESET characterizes MQsTTang as a "barebones" backdoor that enables the threat actor to execute commands remotely on the victim's machine and receive their output.

     

    "This new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the group's other malware families," reads the ESET report.

     

    Upon launch, the malware creates a copy of itself with a command line argument that performs various tasks, such as starting C2 communications, establishing persistence, etc.

     

    tasks.jpg

    Tasks executed by the malware (ESET)

     

    Persistence is established by adding a new registry key under "HKCU\Software\Microsoft\Windows\CurrentVersion\Run," which launches the malware at system startup. After reboot, only the C2 communication task is executed.

     

    execution.png

    Attack chain (ESET)

     

    An unusual characteristic of the novel backdoor is using the MQTT protocol for command and control server communications.

     

    MQTT gives the malware good resilience to C2 takedowns, hides the attacker's infrastructure by passing all communications through a broker, and makes it less likely to be detected by defenders looking for more commonly used C2 protocols.

     

    broker.png

    Broker sitting in between the C2 and the victimized machine (ESET)

     

    To evade detection, MQsTTang checks for the presence of debuggers or monitoring tools on the host, and if any are found, it changes its behavior accordingly.

     

    Another recent Mustang Panda operation was observed between March and October 2022 by analysts at Trend Micro, who reported seeing heavy targeting against Australian, Japanese, Taiwanese, and Philippine organizations.

     

    In that campaign, the threat group used three malware strains, namely PubLoad, ToneIns, and ToneShell, which aren't present in the 2023 campaign spotted by ESET.

     

    Whether or not MQsTTang becomes part of the group's long-term arsenal or if it was specifically developed for a specific operation remains to be seen.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...