Chinese APT hacker group Mustang Panda uses MQsTTang backdoor to target European entities

ESET researchers threw light on MQsTTang, a new custom backdoor that they attribute to the Chinese APT hacker group, Mustang Panda. The backdoor is part of an ongoing campaign that can be traced back to early January this year and doesn’t seem to be based on existing families or publicly available projects.

“We have seen unknown entities in Bulgaria and Australia in our telemetry. We also have information indicating that this campaign is targeting a governmental institution in Taiwan,” Alexandre Côté Cyr, an ESET researcher, wrote in a company blog post. “However, due to the nature of the decoy filenames used, we believe that political and governmental organizations in Europe and Asia are also being targeted. This would also be in line with the targeting of the group’s other recent campaigns.” 

“Mustang Panda is known for its customized Korplug variants (also dubbed PlugX) and elaborate loading chains. In a departure from the group’s usual tactics, MQsTTang has only a single stage and doesn’t use any obfuscation techniques,” Côté Cyr added.

He also cited Proofpoint data from last March, which revealed that Mustang Panda has been active in Europe since at least 2020 and has expanded its activity there even more since Russia invaded Ukraine.

At the time, the Proofpoint researchers discovered continued activity by the APT actor TA416, which is connected with China, in which the group is targeting European diplomatic entities, including an individual involved in refugee and migrant services. The targeting is consistent with previous activity seen across the APT actor landscape, showing an interest in refugee policies and logistics across the APT actor landscape which coincides with increased tensions and now the armed conflict between Russia and Ukraine.

ESET found archives containing samples of MQsTTang in two GitHub repositories belonging to the user ‘YanNaingOo0072022,’ the researcher wrote. “Another GitHub repository of the same user was used in a previous Mustang Panda campaign described by Avast in a December 2022 blog post.”

Côté Cyr added that one of the servers used in the current campaign was running a publicly accessible anonymous FTP server that seems to be used to stage tools and payloads. “In the ‘/pub/god’ directory of this server, there are multiple Korplug loaders, archives, and tools that were used in previous Mustang Panda campaigns. This is the same directory that was used by the stager described in the aforementioned Avast blog post. This server also had a ‘/pub/gd’ directory, which was another path used in that campaign,” he added.

Some of the infrastructure used in this campaign also matches the network fingerprint of previously known Mustang Panda servers, he added.

“MQsTTang is a barebones backdoor that allows the attacker to execute arbitrary commands on a victim’s machine and get the output. Even so, it does present some interesting characteristics. Chief among these is its use of the MQTT protocol for C&C communication,” Côté Cyr wrote. “MQTT is typically used for communication between IoT devices and controllers, and the protocol hasn’t been used in many publicly documented malware families. One such example is Chrysaor, also known as Pegasus for Android. From an attacker’s perspective, one of MQTT’s benefits is that it hides the rest of their infrastructure behind a broker. Thus, the compromised machine never communicates directly with the C&C server.” 

The capability is achieved by using the open-source QMQTT library, he added. “This library depends on the Qt framework, a large part of which is statically linked in the malware. Using the Qt framework for malware development is also fairly uncommon. Lazarus’s MagicRAT is one of the rare recently documented examples,” Côté Cyr pointed out.

Another key detail that Côté Cyr provided is that MQsTTang is distributed in RAR archives which only contain a single executable. These executables usually have names related to Diplomacy and passports. “These archives are hosted on a web server with no associated domain name. This fact, along with the filenames, leads us to believe that the malware is spread via spearphishing,” he added.

“So far, we have only observed a few samples. Besides variations in some constants and hardcoded strings, the samples are remarkably similar,” Côté Cyr wrote. “The only notable change is the addition of some anti-analysis techniques in the latest versions. The first of these consists of using the ‘CreateToolhelp32Snapshot’ Windows API function to iterate through running processes and look for the following known debuggers and monitoring tools.”

The second technique uses the ‘FindWindowW’ Windows API to look for the following Window Classes and Titles used by known analysis tools, Côté Cyr detailed. “When executed directly, the malware will launch a copy of itself with 1 as a command line argument. This is repeated by the new process, with the argument being incremented by 1 on every run. When this argument hits specific values, certain tasks will be executed. However, the tasks themselves and the order in which they are executed is constant.”

Côté Cyr said that all communication between the server and the client uses the same encoding scheme. “The MQTT message’s payload is a JSON object with a single attribute named ‘msg.’ To generate the value of this attribute, the actual content is first base64 encoded, then XORed with the hardcoded string ‘nasa,’ and base64 encoded again.” 

He added that upon first connecting to the broker, the malware subscribes to its unique topic. Then, and every 30 seconds thereafter, the client publishes a KeepAlive message to the server’s topic.

When the server wants to issue a command, it publishes a message to the client’s unique topic. The plaintext content of this message is simply the command to be executed. The client executes the received command from the Qt framework, and the output obtained is then sent back in a JSON object. Since only the content of standard output is sent back, the server will not receive errors or warnings. From the server’s point of view, a failed command is thus indistinguishable from a command that simply produces no output unless some sort of redirection is performed.

The second and third tasks are fairly similar to each other. They copy the malware’s executable to a hardcoded path. The file names used differ for each sample, but they are always located in the ‘C:\users\public’ directory, Côté Cyr said. 

Persistence is established by the fourth task, which creates a new value ‘qvlc’ set under the registry key. “This will cause the malware to be executed on startup. When MQsTTang is executed on startup as ‘c:\users\public\vcall[dot]exe,’ only the C&C communication task is executed,” he added.

In conclusion, Côté Cyr said that the Mustang Panda campaign is ongoing as of this writing. The victimology is unclear, but the decoy filenames are in line with the group’s other campaigns that target European political entities. The new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the group’s other malware families. However, it shows that Mustang Panda is exploring new technology stacks for its tools. 

It remains to be seen whether this backdoor will become a recurring part of the group’s arsenal, but it is one more example of the group’s fast development and deployment cycle, he added.

Last September, ESET provided details about the Worok cyberespionage group that develops its tools and leverages existing tools to compromise its targets. The firm believes the operators are after stealing information from their victims because they focus on high-profile entities in Asia and Africa, targeting private and public sectors, but with a specific emphasis on government entities.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.