Mustang Panda hackers use a freshly built backdor to advanced evasion of detection

2 months ago · 0 comments

The Chinese hacker group Mustang Panda, engaged in cyberspiospionage, was seen in the deployment of a new user backdor called MQsTTang.

Mustang Panda is a group of attackers aimed at companies in various fields around the world. In their attacks, primarily aimed at the theft of information, cybercriminals use customary versions of malicious PlugX. The group is also known as TA416 and Bronze President.

The new MQsTTang Backdor from Mustang Panda seems to be not based on well -known malicious programs. This fact indicates that hackers most likely developed MQsTTang from scratch in order to make it difficult to detect malicious antivirus products.

ESET researchers found MQsTTang during a harmful campaign aimed at government and political organizations in Europe and Asia. It began in January 2023 and continues to this day.

The distribution of malicious software occurs through phishing emails, and the payload is loaded from GitHub repositories created by the user associated with previous Mustang Panda campaigns. The malicious program is the same executable file inside the various “.rar” archives. Archives in their names adhere to diplomatic topics.

ESET characterizes MQsTTang as a “basic” backdor, allowing attackers to remotely execute commands on the victim’s computer. When starting, the malicious program creates its own copy with increased privileges, which performs various tasks, such as establishing a connection with the C2 server, configuring constancy in the victim’s system, etc.

In early February, EclecticIQ specialists revealed a malicious campaign using “.iso”-image containing malicious labels.

An unusual characteristic of the new backdor is the use of the MQTT protocol to communicate with the C2 server. MQTT provides malicious resistance to the C2-server, hides the infrastructure of the attacker, filtering all messages, and reduces the likelihood of detecting malware by specialists who are usually trying to detect the most frequently used C2-protocols.

To avoid detection, MQsTTang also checks the presence of debugger or monitoring tools on the host and, if found, changes its behavior accordingly.

It is still unknown whether MQsTTang will remain for a long time in the arsenal or whether it was specially designed for a specific operation.