The Chinese threat actor known as Mustang Panda was seen deploying a new custom backdoor dubbed “MQsTTang” in attacks starting this year. Mustang Panda is an advanced persistent threat (APT) known to target organizations worldwide in data theft attacks. The group is also known by the names “TA416” and “Bronze President”. This threat actor first gained international attention due to its customized version of the PlugX malware. This new campaign from Mustang Panda primarily targets government organizations in Europe and Asia through spear-phishing emails.
Researchers at ESET have characterized MQsTTang as a “barebones” backdoor that enables the threat actor to execute remote commands on the victim’s machine and receive their output. Upon its initial launch, the malware creates a copy of itself with a command line argument that performs various tasks such as starting C2 Communications. Persistence is established by adding a new registry key under CurrentVersionRun to launch itself at system startup. What sets this backdoor apart from many others is its unusual use of the MQTT protocol for communication, which provides resilience to C2 takedowns, hides the attacker’s infrastructure by passing all communications through a broker, and makes it less likely to be detected by defenders looking for more commonly used C2 protocols. The malware also checks for the presence of debuggers and monitoring tools on a host.
The Message Queuing Telemetry Transport (MQTT) protocol is a protocol that is known as the standard for IoT messaging and occurs over port 1883. As IoT devices become more and more prevalent in an environment, this typically opens a greater number of potential vulnerabilities to be exploited as IoT devices are often more insecure. From an organizational standpoint, the best way to protect against this campaign would be to limit IoT devices in the environment to cut down on port 1883 noise and to monitor connections over this port, investigating any abnormal results. Additionally, it would also be beneficial to modify changes to the CurrentVersionRun registry key.