The Chinese threat actor known as Mustang Panda was seen deploying a new custom backdoor dubbed “MQsTTang” in attacks starting this year. Mustang Panda is an advanced persistent threat (APT) known to target organizations worldwide in data theft attacks. The group is also known by the names “TA416” and “Bronze President”. This threat actor first gained international attention due to its customized version of the PlugX malware. This new campaign from Mustang Panda primarily targets government organizations in Europe and Asia through spear-phishing emails.
Researchers at ESET have characterized MQsTTang as a “barebones” backdoor that enables the threat actor to execute remote commands on the victim’s machine and receive their output. Upon its initial launch, the malware creates a copy of itself with a command line argument that performs various tasks such as starting C2 Communications. Persistence is established by adding a new registry key under CurrentVersion\Run to launch itself at system startup. What sets this backdoor apart from many others is its unusual use of the MQTT protocol for communication, which provides resilience to C2 takedowns, hides the attacker’s infrastructure by passing all communications through a broker, and makes it less likely to be detected by defenders looking for more commonly used C2 protocols. The malware also checks for the presence of debuggers and monitoring tools on a host.