Chinese hackers adopt a new customized backdoor

Chinese hackers adopt a new customized backdoor

As part of an ongoing social engineering campaign that started in January 2023, the China-aligned Mustang Panda actor has been seen exploiting a previously unknown custom backdoor named MQsTTang. MQsTTang was found by ESET researchers in a campaign that began in January 2023 and is still active today. Targeting Taiwan and Ukraine in particular, the effort aims to influence political and governmental institutions in Europe and Asia.

Map showing known and suspected targets of MQsTTang

The payloads are downloaded from GitHub repositories made by a user connected to earlier Mustang Panda efforts, while the malware is distributed via spear-phishing emails.

The malicious software takes the form of an executable packed inside RAR packages with names that have a diplomatic theme, such as scans of diplomats’ passports, embassy notes, etc.

“MQsTTang is a barebones backdoor that allows the attacker to execute arbitrary commands on a victim’s machine and get the output. Even so, it does present some interesting characteristics. Chief among these is its use of the MQTT protocol for C&C communication. MQTT is typically used for communication between IoT devices and controllers, and the protocol hasn’t been used in many publicly documented malware families. “

“One such example is Chrysaor, also known as Pegasus for Android. From an attacker’s perspective, one of MQTT’s benefits is that it hides the rest of their infrastructure behind a broker. Thus, the compromised machine never communicates directly with the C&C server. “ said in the ESET report.

“This new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the group’s other malware families. However, it shows that Mustang Panda is exploring new technology stacks for its tools. It remains to be seen whether this backdoor will become a recurring part of the group’s arsenal, but it is one more example of the group’s fast development and deployment cycle.”


LastPass Reveals more details on the breach


Copy link
Powered by Social Snap