Cybersecurity researchers have discovered that the China-aligned Mustang Panda group has been using a new custom backdoor, MQsTTang, as part of an ongoing social engineering campaign.
Unlike most of the group’s malware, MQsTTang does not appear to be based on existing families or publicly available projects. The group has a history of using remote access trojans to achieve its objectives, but recent intrusions have seen the group expanding its malware arsenal to include custom tools like TONEINS, TONESHELL, and PUBLOAD.
The group has stepped up its targeting of European entities since Russia’s invasion of Ukraine last year. The current victimology is unclear, but the Slovak cybersecurity company ESET has reported that decoy filenames used in the campaign are in line with the group’s previous campaigns targeting European political organizations.
However, ESET has also observed attacks against unknown entities in Bulgaria and Australia, as well as a governmental institution in Taiwan, indicating a focus on Europe and Asia.
The initial intrusion vector for the attacks is spear-phishing, with MQsTTang distributed via RAR archives containing a single executable that features filenames with diplomatic themes.
The malware uses an IoT messaging protocol called MQTT for command-and-control communications, which is achieved using an open-source library called QMQTT. This is a departure from the group’s previous use of remote access trojans like PlugX.
The Mustang Panda group is known for its cyber espionage activities, and its recent use of custom backdoors like MQsTTang suggests a continued focus on developing new malware tools to achieve its objectives.
The group’s use of spear-phishing attacks and diplomatic-themed filenames highlights the importance of employee training and awareness as a defense against social engineering campaigns.
