Chinese APT Group Deploying New Malware BackdoorMustang Panda Using MQsTTang Tool to Target Victims in Asia and Europe, Eset Finds
Chinese nation-state hackers are using a previously unseen malware backdoor as part of the latest campaign targeting governmental organizations in Europe and Asia, a new report by security firm Eset finds.
The new backdoor, dubbed MQsTTang by Eset researchers, is being deployed by hacking group Mustang Panda as part of an ongoing spear-phishing campaign that began in January, specifically targeting government organizations in Ukraine and Taiwan.
According to the report, the new backdoor uses an MQTT protocol to facilitate communication between IoT devices as its command-and-control servers, making it the first-ever known case of the protocol's application being detected in malware.
"From an attacker's perspective, one of MQTT's benefits is that it hides the rest of their infrastructure behind a broker," the report says. "Thus, the compromised machine never communicates directly with the C&C server."
The malware is currently being spread as RAR files that are hosted on a web server, the report adds. Once deployed, the malware then performs a range of tasks, such as establishing a connection with the command-and-control server and establishing persistence.
Eset researchers are unclear about the motive behind this campaign, but they say it could be "trial and error" use by Mustang Panda to test the new tool. The report also says not many versions of the latest malware have been spotted in the wild.
Mustang Panda, also known as Bronze President and HoneyMyte, is a Chinese threat group that is known to target government organizations for cyberespionage activities.
According to a recent alert from security firm CrowdStrike, the group is among a host of Chinese nation-state groups that are now exploiting zero-days and other vulnerabilities to target U.S. organizations (see: Chinese State Hackers Level Up Their Abilities: CrowdStrike).