Chinese Hackers Launch New MQsTTang Backdoor to Target European Organizations

A recent analysis has unveiled a new custom backdoor, dubbed MQsTTang, employed by the China-aligned hacking group Mustang Panda in a social engineering campaign that began in January 2023. This malware marks a departure from the group’s previously observed tactics, as it appears not to have roots in existing malware families or publicly accessible projects.

Researchers from ESET note that Mustang Panda’s operations have escalated, particularly targeting European entities in the wake of heightened geopolitical tensions following Russia’s invasion of Ukraine. While the precise victims of these attacks remain ambiguous, preliminary observations suggest that the filenames used in decoy documents align with the group’s historical focus on European political organizations.

Additionally, ESET’s investigation revealed attempts against entities in Bulgaria, Australia, and a government institution in Taiwan, which indicates a broader geographical focus encompassing both Europe and Asia. This pattern reinforces concerns about the group’s expanding operational scope.

Mustang Panda has previously utilized the remote access trojan PlugX to achieve its objectives. However, the emergence of MQsTTang illustrates a significant enhancement in their arsenal, further complemented by other custom tools such as TONEINS, TONESHELL, and PUBLOAD.

A notable aspect of the MQsTTang backdoor is its reliance on the MQTT protocol, typically used for IoT communications, leveraging the open-source QMQTT library for command-and-control operations. This choice showcases the group’s exploration of alternative technologies for their cyber operations.

The intrusion methods primarily revolve around spear-phishing campaigns, wherein the backdoor is disseminated within RAR archives containing executable files. These files often employ diplomatic-themed filenames (e.g., “PDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXE”), enhancing the likelihood of successful infiltration.

According to Côté Cyr, an ESET researcher, the MQsTTang backdoor functions similarly to a remote shell but lacks the complex features seen in the group’s other malware tools. This simplicity suggests Mustang Panda’s eagerness to innovate while experimenting with diverse technology stacks.

The context of these developments coincides with other significant cyber espionage activities, as recently highlighted by Symantec’s disclosures on APT41, another China-backed group targeting materials and composites sectors across Asia. Such coordination among state-affiliated threat actors raises substantial concerns for businesses operating in these regions.

In terms of potential tactics used in this campaign, the MITRE ATT&CK framework is instrumental in identifying several likely adversary techniques, such as initial access via spear-phishing, persistence through backdoor installation, and evasion of detection mechanisms. As organizations navigate these evolving threats, a proactive posture toward cybersecurity remains paramount.