MQsTTang: Mustang Panda’s newest backdoor treads new floor with Qt and MQTT

ESET researchers have analyzed MQsTTang, a new customized backdoor that we attribute to the Mustang Panda APT group. This backdoor is a part of an ongoing campaign that we will hint again to early January 2023. In contrast to a lot of the group’s malware, MQsTTang doesn’t appear to be based mostly on present households or publicly obtainable tasks.

Mustang Panda is understood for its custom-made Korplug variants (additionally dubbed PlugX) and elaborate loading chains. In a departure from the group’s normal techniques, MQsTTang has only a single stage and doesn’t use any obfuscation methods.

Victimology

We’ve seen unknown entities in Bulgaria and Australia in our telemetry. We even have info indicating that this marketing campaign is concentrating on a governmental establishment in Taiwan. Nevertheless, because of the nature of the decoy filenames used, we consider that political and governmental organizations in Europe and Asia are additionally being targeted. This might also be consistent with the concentrating on of the group’s other current campaigns. As documented by fellow researchers at Proofpoint, Mustang Panda has been recognized to focus on European governmental entities since no less than 2020 and has increased its activity in Europe even additional, since Russia’s invasion of Ukraine. Figure 1 exhibits our view of the concentrating on for this campaign.

Figure 1. Map displaying recognized and suspected targets of MQsTTang

Attribution

We attribute this new backdoor and the marketing campaign to Mustang Panda with high confidence based mostly on the next indicators.

We found archives containing samples of MQsTTang in two GitHub repositories belonging to the consumer YanNaingOo0072022. Another GitHub repository of the identical consumer was used in a earlier Mustang Panda marketing campaign described by Avast in a December 2022 blogpost.

One of the servers used within the present marketing campaign was operating a publicly accessible nameless FTP server that appears to be used to stage tools and payloads. In the /pub/god directory of this server there are multiple Korplug loaders, archives, and instruments that have been used in previous Mustang Panda campaigns. This is identical listing that was utilized by the stager described within the aforementioned Avast blogpost. This server additionally had a /pub/gd listing, which was one other path utilized in that marketing campaign.

A few of the infrastructure used on this campaign also matches the network fingerprint of previously recognized Mustang Panda servers.

Technical analysis

MQsTTang is a barebones backdoor that permits the attacker to execute arbitrary instructions on a sufferer’s machine and get the output. Even so, it does present some fascinating characteristics. Chief amongst these is its use of the MQTT protocol for C&C communication. MQTT is usually used for communication between IoT units and controllers, and the protocol hasn’t been used in many publicly documented malware families. One such example is Chrysaor, also referred to as Pegasus for Android. From an attacker’s perspective, one in every of MQTT’s benefits is that it hides the rest of their infrastructure behind a broker. Thus, the compromised machine never communicates instantly with the C&C server. As seen in Figure 2, this functionality is achieved through the use of the open supply QMQTT library. This library is determined by the Qt framework, a big a part of which is statically linked within the malware. Using the Qt framework for malware improvement can also be pretty unusual. Lazarus’s MagicRAT is likely one of the uncommon lately documented examples.

Determine 2. RTTI displaying courses from the QMQTT library

MQsTTang is distributed in RAR archives which only include a single executable. These executables often have names related to Diplomacy and passports comparable to:

• CVs Amb Officer PASSPORT Ministry Of Overseas Affairs.exe
• Documents members of delegation diplomatic from Germany.Exe
• PDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXE
• Word No.18-NG-23 from Embassy of Japan.exe

These archives are hosted on an internet server with no associated area identify. This reality, together with the filenames, leads us to consider that the malware is spread by way of spearphishing.

To date, we’ve got solely observed a couple of samples. Apart from variations in some constants and hardcoded strings, the samples are remarkably comparable. The one notable change is the addition of some anti-evaluation methods in the latest variations. The first of those consists of utilizing the CreateToolhelp32Snapshot Windows API perform to iterate via operating processes and look for the next recognized debuggers and monitoring tools.

• cheatengine-x86_64.exe
• ollydbg.exe
• ida.exe
• ida64.exe
• radare2.exe
• x64dbg.exe
• procmon.exe
• procmon64.exe
• procexp.exe
• processhacker.exe
• pestudio.exe
• systracerx32.exe
• fiddler.exe
• tcpview.exe

Observe that, while the malware is a 32-bit executable, it solely checks for the presence of x64dbg and never its 32-bit counterpart, x32dbg.

The second method makes use of the FindWindowW Home windows API to search for the next Window Courses and Titles utilized by recognized evaluation tools:

• PROCMON_WINDOW_CLASS
• OLLYDBG
• WinDbgFrameClass
• OllyDbg – [CPU]
• Immunity Debugger – [CPU]

When executed instantly, the malware will launch a replica of itself with 1 as a command line argument. That is repeated by the brand new course of, with the argument being incremented by 1 on each run. When this argument hits specific values, sure duties can be executed. Word that the exact values range between samples; the ones mentioned under correspond to the sample with SHA-1 02D95E0C369B08248BFFAAC8607BBA119D83B95B. Nevertheless, the duties themselves and the order by which they are executed is fixed.

Determine three exhibits an summary of this conduct along with the tasks which are executed when the malware is first run.

Figure 3. Execution graph displaying the subprocesses and executed tasks

Desk 1 accommodates an inventory of the duties and the value at which every of them is executed. We’ll describe them in further detail within the upcoming paragraphs.

Desk 1. Duties executed by the backdoor

If any evaluation software or debugger is detected utilizing the methods we described beforehand, the conduct of process 1 is altered and duties 2, 3, and 4 are skipped totally.

Process 1: C&C communication

As was beforehand mentioned, MQsTTang communicates with its C&C server over the MQTT protocol. All noticed samples use three.228.fifty four.173 as dealer. This server is a public broker operated by EMQX, who additionally occur to be the maintainers of the QMQTT library. This could possibly be a option to make the network visitors seem reputable and to hide Mustang Panda’s own infrastructure. Using this public dealer additionally offers resiliency; the service is unlikely to be taken down because of its many authentic customers and, even when the current C&C servers are banned or taken down, Mustang Panda might spin up new ones and use the same MQTT subjects without disrupting MQsTTang’s operation.

Nevertheless, this campaign may be a check case by Mustang Panda earlier than deciding whether or not to take a position the time and assets to set up their very own broker. That is supported by the low variety of samples we’ve noticed and the very simple nature of MQsTTang.

As shown in Determine four, the malware and C&C server use two MQTT subjects for their communication. The first one, iot/server2, is used for communication from the shopper to the server. The second one is used for communication from the server to the shopper. It follows the format iot/v2/<Unique ID> where <Distinctive ID> is generated by taking the last eight bytes, in hex type, of a UUID. If any evaluation software is detected, server2 and v2 are respectively replaced with server0 and v0. This is doubtless with a view to keep away from tipping off defenders by totally aborting the malware’s execution early.

Determine 4. Simplified network graph of the communication between the backdoor and C&C server

All communication between the server and the shopper uses the same encoding scheme. The MQTT message’s payload is a JSON object with a single attribute named msg. To generate the value of this attribute, the precise content material is first base64 encoded, then XORed with the hardcoded string nasa, and base64 encoded again. We’ll describe the exact format of those payloads within the relevant sections.

Upon first connecting to the dealer, the malware subscribes to its distinctive matter. Then, and each 30 seconds thereafter, the shopper publishes a KeepAlive message to the server’s matter. The content of this message is a JSON object with the next format:

When the server needs to problem a command, it publishes a message to the shopper’s distinctive matter. The plaintext content of this message is just the command to be executed. As shown in Figure 5, the shopper executes the acquired command using QProcess::startCommand from the Qt framework. The output, obtained using QProcess::readAllStandardOutput, is then despatched back in a JSON object with the next format:

Figure 5. Execution of acquired commands utilizing the QProcess class

Since only the content of ordinary output is shipped back, the server won’t obtain errors or warnings. From the server’s viewpoint, a failed command is thus indistinguishable from a command that merely produces no output until some type of redirection is carried out.

Tasks 2 and three: Copying the malware

The second and third tasks are pretty comparable to one another. They copy the malware’s executable to a hardcoded path; c:userspublicvdump.exe and c:userspublicvcall.exe respectively. The filenames used are totally different for each pattern, however they are all the time situated in the C:userspublic listing.

In the second activity, the newly created copy is then launched with the command line argument ninety seven.

Activity four: Establishing persistence

Persistence is established by the fourth process, which creates a new value qvlc set to c:userspublicvcall.exe underneath the HKCUSoftwareMicrosoftWindowsCurrentVersionRun registry key. This can cause the malware to be executed on startup.

When MQsTTang is executed on startup as c:userspublicvcall.exe, solely the C&C communication activity is executed.

Conclusion

The Mustang Panda marketing campaign described in this article is ongoing as of this writing. The victimology is unclear, however the decoy filenames are in keeping with the group’s different campaigns that focus on European political entities.

This new MQsTTang backdoor supplies a sort of distant shell with none of the bells and whistles related to the group’s other malware families. Nevertheless, it exhibits that Mustang Panda is exploring new know-how stacks for its tools. It remains to be seen whether this backdoor will turn into a recurring part of the group’s arsenal, but it’s another instance of the group’s quick improvement and deployment cycle.

IoCs

Information

Network

Github repositories

• https://raw.githubusercontent[.]com/YanNaingOo0072022/14/principal/Paperwork.rar
• https://uncooked.githubusercontent[.]com/YanNaingOo0072022/ee/major/CVs Amb.rar

MITRE ATT&CK methods

This table was constructed using version 12 of the MITRE ATT&CK framework.