Saturday, November 2, 2024
HomeCyber AttackMQsTTang - Chinese Hackers Using Custom Malware To Evade AV Detection

MQsTTang – Chinese Hackers Using Custom Malware To Evade AV Detection

Published on

Malware protection

In a recent analysis, MQsTTang, a newly designed custom backdoor, has been scrutinized by ESET researchers. After a thorough investigation, the source of this malware has been attributed to the infamous Mustang Panda APT group by the experts.

Tracing back to early January 2023, this ongoing campaign is attributed to the newly discovered backdoor. Customized versions of the PlugX malware are the weapon of choice for the notorious Mustang Panda APT group (aka TA416 and Bronze President), recognized for their worldwide data theft attacks.

This group operates as an advanced persistent threat (APT), with the intent to steal sensitive information from targeted organizations.

- Advertisement - SIEM as a Service

The latest malware, MQsTTang, introduced by Mustang Panda APT group, seems to be an original creation, not based on any prior malware. This suggests that the hackers designed it to bypass detection and restrict attribution to their group.

Distribution

With its primary focus on Taiwan and Ukraine, the ongoing campaign targets government and political organizations in Europe and Asia. It is pertinent to note that these regions have been on the radar of many notorious hacking groups for their geopolitical importance.

Targetting countires

Spear-phishing emails are the preferred mode for the distribution of the malware, while the payloads are downloaded from GitHub repositories created by a user affiliated with past campaigns of the Mustang Panda.

The malware in question is compressed in RAR archives and is executable once unzipped, and its file names have a distinctive diplomacy theme. 

Attack chain

According to ESET Report, MQsTTang is a “barebones” backdoor that provides the threat actor with remote command execution capabilities on the victim’s computer and allows them to receive the output of the commands.

The malware duplicates itself upon execution and includes a command-line argument that initiates several operations. Persistence is achieved by creating a new registry key under the following path to initiate the malware during system startup:-

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

There is only one task that is executed after rebooting, and that is the C2 communication task. The novel backdoor has an atypical trait in that it utilizes the MQTT protocol for facilitating communication between the command and control server.

The malware is imbued with an inherent ability to withstand command and control (C2) takedowns and evade detection by defenders. 

This is owing to the employment of MQTT, which facilitates communication through a broker and keeps the attacker’s infrastructure hidden. This makes it a less detectable choice compared to other commonly used C2 protocols that are frequently scrutinized by defenders.

In order to remain undetected, the MQsTTang malware employs a mechanism to detect the presence of debugging or monitoring tools on the host system. If any such tools are identified, the malware adapts its behavior to avoid detection.

Analysts at Trend Micro recently detected another instance of a Mustang Panda operation that spanned from March to October 2022. 

It is currently uncertain whether the MQsTTang malware will be incorporated into the long-term arsenal of the group responsible for its development or if it was created solely for a specific operation.

Indicators of Compromise

Files

SHA-1FilenameDetectionDescription
A1C660D31518C8AFAA6973714DE30F3D576B68FCCVs Amb.rarWin32/Agent.AFBIRAR archive used to distribute MQsTTang backdoor.
430C2EF474C7710345B410F49DF853BDEAFBDD78CVs Amb Officer PASSPORT Ministry Of Foreign Affairs.exeWin32/Agent.AFBIMQsTTang backdoor.
F1A8BF83A410B99EF0E7FDF7BA02B543B9F0E66CDocuments.rarWin32/Agent.AFBIRAR archive used to distribute MQsTTang backdoor.
02D95E0C369B08248BFFAAC8607BBA119D83B95BPDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXEWin32/Agent.AFBIMQsTTang backdoor.
0EA5D10399524C189A197A847B8108AA8070F1B1Documents members of delegation diplomatic from Germany.ExeWin32/Agent.AFBIMQsTTang backdoor.
982CCAF1CB84F6E44E9296C7A1DDE2CE6A09D7BBDocuments.rarWin32/Agent.AFBIRAR archive used to distribute MQsTTang backdoor.
740C8492DDA786E2231A46BFC422A2720DB0279A23 from Embassy of Japan.exeWin32/Agent.AFBIMQsTTang backdoor.
AB01E099872A094DC779890171A11764DE8B4360BoomerangLib.dllWin32/Korplug.THKnown Mustang Panda Korplug loader.
61A2D34625706F17221C1110D36A435438BC0665breakpad.dllWin32/Korplug.UBKnown Mustang Panda Korplug loader.
30277F3284BCEEF0ADC5E9D45B66897FA8828BFDcoreclr.dllWin32/Agent.ADMWKnown Mustang Panda Korplug loader.
BEE0B741142A9C392E05E0443AAE1FA41EF512D6HPCustPartUI.dllWin32/Korplug.UBKnown Mustang Panda Korplug loader.
F6F3343F64536BF98DE7E287A7419352BF94EB93HPCustPartUI.dllWin32/Korplug.UBKnown Mustang Panda Korplug loader.
F848C4F3B9D7F3FE1DB3847370F8EEFAA9BF60F1libcef.dllWin32/Korplug.TXKnown Mustang Panda Korplug loader.

Network Security Checklist – Download Free E-Book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...