www.welivesecurity.com
Open in
urlscan Pro
2a02:26f0:480:f::213:7ec8
Public Scan
URL:
https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/
Submission: On March 13 via api from IN — Scanned from DE
Submission: On March 13 via api from IN — Scanned from DE
Form analysis 5 forms found in the DOM
GET https://www.welivesecurity.com/
<form action="https://www.welivesecurity.com/" class="basic-searchform imc dark col-md-12 col-sm-10 col-xs-12" method="get" role="search">
<div class="search-input clearfix">
<input type="text" name="s" value="" placeholder="Search..." class="imc">
<button class="imc">
<span class="icomoon icon-icon_search imc"></span>
</button>
</div>
</form>GET https://www.welivesecurity.com/
<form action="https://www.welivesecurity.com/" class="basic-searchform imc dark col-md-12 col-sm-10 col-xs-12" method="get" role="search">
<div class="search-input clearfix">
<input type="text" name="s" value="" placeholder="Search..." class="imc">
<button class="imc">
<span class="icomoon icon-icon_search imc"></span>
</button>
</div>
</form>GET https://www.welivesecurity.com/
<form action="https://www.welivesecurity.com/" class="basic-searchform imc col-md-12 col-sm-10 col-xs-12" method="get" role="search">
<div class="search-input clearfix">
<input type="text" name="s" value="" placeholder="Search..." class="imc">
<button class="imc">
<span class="icomoon icon-icon_search imc"></span>
</button>
</div>
</form>POST https://enjoy.eset.com/pub/rf
<form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter" method="post" role="search">
<div class="search-input clearfix">
<input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Email...">
<input type="hidden" name="TOPIC" value="We Live Security Ukraine Newsletter">
<input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3">
<input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY">
<input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0">
<input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="O">
<input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form">
<button class="button-flag"> Submit </button>
</div>
</form>POST https://enjoy.eset.com/pub/rf
<form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter" method="post" role="search">
<div class="search-input clearfix">
<input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Email...">
<input type="hidden" name="NEWSLETTER" value="We Live Security">
<input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3">
<input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY">
<input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0">
<input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="O">
<input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form">
<button class=""> Submit </button>
</div>
</form>Text Content
In English
* Em Português
* En français
* En Español
* In Deutsch
Menu toggle menu
* All Posts
* Ukraine Crisis – Digital Security Resource Center
* We Live Progress
* Research
* How To
* Videos
* Conference Materials
* White Papers
* Threat Reports
* Our Experts
* Em Português
* En français
* En Español
* In Deutsch
Award-winning news, views, and insight from the ESET security community
MQSTTANG: MUSTANG PANDA’S LATEST BACKDOOR TREADS NEW GROUND WITH QT AND MQTT
ESET researchers tease apart MQsTTang, a new backdoor used by Mustang Panda,
which communicates via the MQTT protocol
Alexandre Côté Cyr
2 Mar 2023 - 11:30AM
Share
ESET researchers tease apart MQsTTang, a new backdoor used by Mustang Panda,
which communicates via the MQTT protocol
ESET researchers have analyzed MQsTTang, a new custom backdoor that we attribute
to the Mustang Panda APT group. This backdoor is part of an ongoing campaign
that we can trace back to early January 2023. Unlike most of the group’s
malware, MQsTTang doesn’t seem to be based on existing families or publicly
available projects.
Mustang Panda is known for its customized Korplug variants (also dubbed PlugX)
and elaborate loading chains. In a departure from the group’s usual tactics,
MQsTTang has only a single stage and doesn’t use any obfuscation techniques.
VICTIMOLOGY
We have seen unknown entities in Bulgaria and Australia in our telemetry. We
also have information indicating that this campaign is targeting a governmental
institution in Taiwan. However, due to the nature of the decoy filenames used,
we believe that political and governmental organizations in Europe and Asia are
also being targeted. This would also be in line with the targeting of the
group’s other recent campaigns. As documented by fellow researchers at
Proofpoint, Mustang Panda has been known to target European governmental
entities since at least 2020 and has increased its activity in Europe even
further, since Russia’s invasion of Ukraine. Figure 1 shows our view of the
targeting for this campaign.
Figure 1. Map showing known and suspected targets of MQsTTang
ATTRIBUTION
We attribute this new backdoor and the campaign to Mustang Panda with high
confidence based on the following indicators.
We found archives containing samples of MQsTTang in two GitHub repositories
belonging to the user YanNaingOo0072022. Another GitHub repository of the same
user was used in a previous Mustang Panda campaign described by Avast in a
December 2022 blogpost.
One of the servers used in the current campaign was running a publicly
accessible anonymous FTP server that seems to be used to stage tools and
payloads. In the /pub/god directory of this server there are multiple Korplug
loaders, archives, and tools that were used in previous Mustang Panda campaigns.
This is the same directory that was used by the stager described in the
aforementioned Avast blogpost. This server also had a /pub/gd directory, which
was another path used in that campaign.
Some of the infrastructure used in this campaign also matches the network
fingerprint of previously known Mustang Panda servers.
TECHNICAL ANALYSIS
MQsTTang is a barebones backdoor that allows the attacker to execute arbitrary
commands on a victim’s machine and get the output. Even so, it does present some
interesting characteristics. Chief among these is its use of the MQTT protocol
for C&C communication. MQTT is typically used for communication between IoT
devices and controllers, and the protocol hasn’t been used in many publicly
documented malware families. One such example is Chrysaor, also known as Pegasus
for Android. From an attacker’s perspective, one of MQTT’s benefits is that it
hides the rest of their infrastructure behind a broker. Thus, the compromised
machine never communicates directly with the C&C server. As seen in Figure 2,
this capability is achieved by using the open source QMQTT library. This library
depends on the Qt framework, a large part of which is statically linked in the
malware. Using the Qt framework for malware development is also fairly uncommon.
Lazarus’s MagicRAT is one of the rare recently documented examples.
Figure 2. RTTI showing classes from the QMQTT library
MQsTTang is distributed in RAR archives which only contain a single executable.
These executables usually have names related to Diplomacy and passports such as:
* CVs Amb Officer PASSPORT Ministry Of Foreign Affairs.exe
* Documents members of delegation diplomatic from Germany.Exe
* PDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXE
* Note No.18-NG-23 from Embassy of Japan.exe
These archives are hosted on a web server with no associated domain name. This
fact, along with the filenames, leads us to believe that the malware is spread
via spearphishing.
So far, we have only observed a few samples. Besides variations in some
constants and hardcoded strings, the samples are remarkably similar. The only
notable change is the addition of some anti-analysis techniques in the latest
versions. The first of these consists of using the CreateToolhelp32Snapshot
Windows API function to iterate through running processes and look for the
following known debuggers and monitoring tools.
* cheatengine-x86_64.exe
* ollydbg.exe
* ida.exe
* ida64.exe
* radare2.exe
* x64dbg.exe
* procmon.exe
* procmon64.exe
* procexp.exe
* processhacker.exe
* pestudio.exe
* systracerx32.exe
* fiddler.exe
* tcpview.exe
Note that, while the malware is a 32-bit executable, it only checks for the
presence of x64dbg and not its 32-bit counterpart, x32dbg.
The second technique uses the FindWindowW Windows API to look for the following
Window Classes and Titles used by known analysis tools:
* PROCMON_WINDOW_CLASS
* OLLYDBG
* WinDbgFrameClass
* OllyDbg – [CPU]
* Immunity Debugger – [CPU]
When executed directly, the malware will launch a copy of itself with 1 as a
command line argument. This is repeated by the new process, with the argument
being incremented by 1 on every run. When this argument hits specific values,
certain tasks will be executed. Note that the exact values vary between samples;
the ones mentioned below correspond to the sample with SHA-1
02D95E0C369B08248BFFAAC8607BBA119D83B95B. However, the tasks themselves and the
order in which they are executed is constant.
Figure 3 shows an overview of this behavior along with the tasks that are
executed when the malware is first run.
Figure 3. Execution graph showing the subprocesses and executed tasks
Table 1 contains a list of the tasks and the value at which each of them is
executed. We will describe them in further detail in the upcoming paragraphs.
Table 1. Tasks executed by the backdoor
Task numberArgument valueTask description 15Start C&C communication. 29Create
copy and launch. 332Create persistence copy. 4119Establish persistence. 5148Stop
recursive execution.
If any analysis tool or debugger is detected using the techniques we described
previously, the behavior of task 1 is altered and tasks 2, 3, and 4 are skipped
entirely.
TASK 1: C&C COMMUNICATION
As was previously mentioned, MQsTTang communicates with its C&C server over the
MQTT protocol. All observed samples use 3.228.54.173 as broker. This server is a
public broker operated by EMQX, who also happen to be the maintainers of the
QMQTT library. This could be a way to make the network traffic seem legitimate
and to hide Mustang Panda’s own infrastructure. Using this public broker also
provides resiliency; the service is unlikely to be taken down because of its
many legitimate users and, even if the current C&C servers are banned or taken
down, Mustang Panda could spin up new ones and use the same MQTT topics without
disrupting MQsTTang’s operation.
However, this campaign could also be a test case by Mustang Panda before
deciding whether to invest the time and resources to set up their own broker.
This is supported by the low number of samples we’ve observed and the very
simple nature of MQsTTang.
As shown in Figure 4, the malware and C&C server use two MQTT topics for their
communication. The first one, iot/server2, is used for communication from the
client to the server. The second one is used for communication from the server
to the client. It follows the format iot/v2/<Unique ID> where <Unique ID> is
generated by taking the last 8 bytes, in hex form, of a UUID. If any analysis
tool is detected, server2 and v2 are respectively replaced with server0 and v0.
This is likely in order to avoid tipping off defenders by entirely aborting the
malware’s execution early.
Figure 4. Simplified network graph of the communication between the backdoor and
C&C server
All communication between the server and the client uses the same encoding
scheme. The MQTT message’s payload is a JSON object with a single attribute
named msg. To generate the value of this attribute, the actual content is first
base64 encoded, then XORed with the hardcoded string nasa, and base64 encoded
again. We will describe the exact format of these payloads in the relevant
sections.
Upon first connecting to the broker, the malware subscribes to its unique topic.
Then, and every 30 seconds thereafter, the client publishes a KeepAlive message
to the server’s topic. The content of this message is a JSON object with the
following format:
{ "Alive": "<malware’s uptime in minutes>", "c_topic": "<client’s unique topic>"
}
1
2
3
4
{
"Alive": "<malware’s uptime in minutes>",
"c_topic": "<client’s unique topic>"
}
When the server wants to issue a command, it publishes a message to the client’s
unique topic. The plaintext content of this message is simply the command to be
executed. As shown in Figure 5, the client executes the received command using
QProcess::startCommand from the Qt framework. The output, obtained using
QProcess::readAllStandardOutput, is then sent back in a JSON object with the
following format:
{ "c_topic": "<client’s unique topic>", "ret": "<Command output>" }
1
2
3
4
{
"c_topic": "<client’s unique topic>",
"ret": "<Command output>"
}
Figure 5. Execution of received commands using the QProcess class
Since only the content of standard output is sent back, the server will not
receive errors or warnings. From the server’s point of view, a failed command is
thus indistinguishable from a command that simply produces no output unless some
sort of redirection is performed.
TASKS 2 AND 3: COPYING THE MALWARE
The second and third tasks are fairly similar to each other. They copy the
malware’s executable to a hardcoded path; c:\users\public\vdump.exe and
c:\users\public\vcall.exe respectively. The filenames used are different for
each sample, but they are always located in the C:\users\public directory.
In the second task, the newly created copy is then launched with the command
line argument 97.
TASK 4: ESTABLISHING PERSISTENCE
Persistence is established by the fourth task, which creates a new value qvlc
set to c:\users\public\vcall.exe under the
HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key. This will cause
the malware to be executed on startup.
When MQsTTang is executed on startup as c:\users\public\vcall.exe, only the C&C
communication task is executed.
CONCLUSION
The Mustang Panda campaign described in this article is ongoing as of this
writing. The victimology is unclear, but the decoy filenames are in line with
the group’s other campaigns that target European political entities.
This new MQsTTang backdoor provides a kind of remote shell without any of the
bells and whistles associated with the group’s other malware families. However,
it shows that Mustang Panda is exploring new technology stacks for its tools. It
remains to be seen whether this backdoor will become a recurring part of the
group’s arsenal, but it is one more example of the group’s fast development and
deployment cycle.
ESET Research offers private APT intelligence reports and data feeds. For any
inquiries about this service, visit the ESET Threat Intelligence page.
IOCS
FILES
SHA-1FilenameDetectionDescription A1C660D31518C8AFAA6973714DE30F3D576B68FCCVs
Amb.rarWin32/Agent.AFBIRAR archive used to distribute MQsTTang backdoor.
430C2EF474C7710345B410F49DF853BDEAFBDD78CVs Amb Officer PASSPORT Ministry Of
Foreign Affairs.exeWin32/Agent.AFBIMQsTTang backdoor.
F1A8BF83A410B99EF0E7FDF7BA02B543B9F0E66CDocuments.rarWin32/Agent.AFBIRAR archive
used to distribute MQsTTang backdoor.
02D95E0C369B08248BFFAAC8607BBA119D83B95BPDF_Passport and CVs of diplomatic
members from Tokyo of JAPAN.eXEWin32/Agent.AFBIMQsTTang backdoor.
0EA5D10399524C189A197A847B8108AA8070F1B1Documents members of delegation
diplomatic from Germany.ExeWin32/Agent.AFBIMQsTTang backdoor.
982CCAF1CB84F6E44E9296C7A1DDE2CE6A09D7BBDocuments.rarWin32/Agent.AFBIRAR archive
used to distribute MQsTTang backdoor. 740C8492DDA786E2231A46BFC422A2720DB0279A23
from Embassy of Japan.exeWin32/Agent.AFBIMQsTTang backdoor.
AB01E099872A094DC779890171A11764DE8B4360BoomerangLib.dllWin32/Korplug.THKnown
Mustang Panda Korplug loader.
61A2D34625706F17221C1110D36A435438BC0665breakpad.dllWin32/Korplug.UBKnown
Mustang Panda Korplug loader.
30277F3284BCEEF0ADC5E9D45B66897FA8828BFDcoreclr.dllWin32/Agent.ADMWKnown Mustang
Panda Korplug loader.
BEE0B741142A9C392E05E0443AAE1FA41EF512D6HPCustPartUI.dllWin32/Korplug.UBKnown
Mustang Panda Korplug loader.
F6F3343F64536BF98DE7E287A7419352BF94EB93HPCustPartUI.dllWin32/Korplug.UBKnown
Mustang Panda Korplug loader.
F848C4F3B9D7F3FE1DB3847370F8EEFAA9BF60F1libcef.dllWin32/Korplug.TXKnown Mustang
Panda Korplug loader.
NETWORK
IPDomainHosting providerFirst seenDetails 3.228.54.173broker.emqx.ioAmazon.com,
Inc.2020-03-26Legitimate public MQTT broker.
80.85.156[.]151N/AChelyabinsk-Signal LLC2023-01-05MQsTTang delivery server.
80.85.157[.]3N/AChelyabinsk-Signal LLC2023-01-16MQsTTang delivery server.
185.144.31[.]86N/AAbuse-C Role2023-01-22MQsTTang delivery server.
GITHUB REPOSITORIES
* https://raw.githubusercontent[.]com/YanNaingOo0072022/14/main/Documents.rar
* https://raw.githubusercontent[.]com/YanNaingOo0072022/ee/main/CVs Amb.rar
MITRE ATT&CK TECHNIQUES
This table was built using version 12 of the MITRE ATT&CK framework.
TacticIDNameDescription Resource DevelopmentT1583.003Acquire Infrastructure:
Virtual Private ServerSome servers used in the campaign are on shared hosting.
T1583.004Acquire Infrastructure: ServerSome servers used in the campaign seem to
be exclusive to Mustang Panda. T1587.001Develop Capabilities: MalwareMQsTTang is
a custom backdoor, probably developed by Mustang Panda. T1588.002Obtain
Capabilities: ToolMultiple legitimate and open- source tools, including psexec,
ps, curl, and plink, were found on the staging server. T1608.001Stage
Capabilities: Upload MalwareMQsTTang was uploaded to the web server for
distribution. T1608.002Stage Capabilities: Upload ToolMultiple tools were
uploaded to an FTP server. Initial AccessT1566.002Phishing: Spearphishing
LinkMQsTTang is distributed via spearphishing links to a malicious file on an
attacker-controlled web server. ExecutionT1106Native APIMQsTTang uses the
QProcess class from the Qt framework to execute commands. T1204.002User
Execution: Malicious FileMQsTTang relies on the user to execute the downloaded
malicious file. PersistenceT1547.001Boot or Logon Autostart Execution: Registry
Run Keys / Startup FolderMQsTTang persists by creating a registry Run key.
Defense EvasionT1036.004Masquerading: Masquerade Task or ServiceIn most samples,
the registry key is created with the name qvlc. This matches the name of a
legitimate executable used by VLC. T1036.005Masquerading: Match Legitimate Name
or LocationWhen creating copies, MQsTTang uses filenames of legitimate programs.
T1480Execution GuardrailsMQsTTang checks the paths it is executed from to
determine which tasks to execute. T1622Debugger EvasionMQsTTang detects running
debuggers and alters its behavior if any are found to be present. Command and
ControlT1071Application Layer ProtocolMQsTTang communicates with its C&C server
using the MQTT protocol. T1102.002Web Service: Bidirectional
CommunicationMQsTTang uses a legitimate public MQTT broker. T1132.001Data
Encoding: Standard EncodingThe content of the messages between the malware and
server is base64 encoded. T1573.001Encrypted Channel: Symmetric CryptographyThe
content of the messages between the malware and server is encrypted using a
repeating XOR key. ExfiltrationT1041Exfiltration Over C2 ChannelThe output of
executed commands is sent back to the server using the same protocol.
Alexandre Côté Cyr
2 Mar 2023 - 11:30AM
SIGN UP TO RECEIVE AN EMAIL UPDATE WHENEVER A NEW ARTICLE IS PUBLISHED IN OUR
UKRAINE CRISIS – DIGITAL SECURITY RESOURCE CENTER
Submit
NEWSLETTER
Submit
SIMILAR ARTICLES
ESET Research
LOVE SCAM OR ESPIONAGE? TRANSPARENT TRIBE LURES INDIAN AND PAKISTANI OFFICIALS
ESET Research
BLACKLOTUS UEFI BOOTKIT: MYTH CONFIRMED
ESET Research
ESET RESEARCH PODCAST: RANSOMWARE TRASHED DATA, ANDROID THREATS SOARED IN T3
2022
ESET Research
WINORDLL64: A BACKDOOR FROM THE VAST LAZARUS ARSENAL?
DISCUSSION
* Home
* About Us
* Contact Us
* Sitemap
* Our Experts
* ESET
* Research
* How To
* Categories
* RSS Configurator
Privacy policy Legal information Manage cookies
Copyright © ESET, All Rights Reserved
Back to top
Your account, your cookies choice
We and our partners use cookies to give you the best optimized online
experience, analyze our website traffic, and serve you with personalized ads.
You can agree to the collection of all cookies by clicking "Accept all and
close" or adjust your cookie settings by clicking "Manage cookies". You also
have the right to withdraw your consent to cookies anytime. For more
information, please see our Cookie Policy.
Accept all and close
Manage cookies
Essential cookies
These first-party cookies are necessary for the functioning and security of our
website and the services you require. They are usually set in response to your
actions to enable the use of certain functionality, such as remembering your
cookie preferences, logging in, or holding items in your cart. You can´t opt out
of these cookies, and blocking them via a browser may affect site functionality.
Basic Analytical Cookies
These first-party cookies enable us to measure the number of visitors/users of
our website and create aggregated usage and performance statistics with the help
of our trusted partners. We use them to get the basic insight into our website
traffic and our campaign performance and to solve bugs on our website.
Advanced Analytical Cookies
These first or third-party cookies help us understand how you interact with our
website and each offered service by enriching our datasets with data from
third-party tools. We use these cookies to improve our website, services, and
user experience, find and solve bugs or other problems with them, and evaluate
our campaigns´ effectiveness.
Marketing cookies
These third-party cookies allow our marketing partners to track some of your
activities on our website (for example, when you download or buy our product) to
learn about your interests and needs and to show you more relevant targeted ads.
Accept and close
Back