July 17, 2024
MQsTTang: Mustang Panda’s newest backdoor treads new floor with Qt and MQTT

ESET researchers tease aside MQsTTang, a brand new backdoor utilized by Mustang Panda, which communicates through the MQTT protocol

ESET researchers have analyzed MQsTTang, a brand new customized backdoor that we attribute to the Mustang Panda APT group. This backdoor is a part of an ongoing marketing campaign that we are able to hint again to early January 2023. In contrast to many of the group’s malware, MQsTTang doesn’t appear to be primarily based on present households or publicly accessible tasks.

Mustang Panda is understood for its personalized Korplug variants (additionally dubbed PlugX) and elaborate loading chains. In a departure from the group’s standard ways, MQsTTang has solely a single stage and doesn’t use any obfuscation methods.

Victimology

Now we have seen unknown entities in Bulgaria and Australia in our telemetry. We even have info indicating that this marketing campaign is focusing on a governmental establishment in Taiwan. Nevertheless, because of the nature of the decoy filenames used, we consider that political and governmental organizations in Europe and Asia are additionally being focused. This may even be in keeping with the focusing on of the group’s different latest campaigns. As documented by fellow researchers at Proofpoint, Mustang Panda has been recognized to focus on European governmental entities since at the very least 2020 and has elevated its exercise in Europe even additional, since Russia’s invasion of Ukraine. Determine 1 reveals our view of the focusing on for this marketing campaign.

Determine 1. Map exhibiting recognized and suspected targets of MQsTTang

Attribution

We attribute this new backdoor and the marketing campaign to Mustang Panda with excessive confidence primarily based on the next indicators.

We discovered archives containing samples of MQsTTang in two GitHub repositories belonging to the person YanNaingOo0072022. One other GitHub repository of the identical person was utilized in a earlier Mustang Panda marketing campaign described by Avast in a December 2022 blogpost.

One of many servers used within the present marketing campaign was working a publicly accessible nameless FTP server that appears to be used to stage instruments and payloads. Within the /pub/god listing of this server there are a number of Korplug loaders, archives, and instruments that had been utilized in earlier Mustang Panda campaigns. This is similar listing that was utilized by the stager described within the aforementioned Avast blogpost. This server additionally had a /pub/gd listing, which was one other path utilized in that marketing campaign.

A few of the infrastructure used on this marketing campaign additionally matches the community fingerprint of beforehand recognized Mustang Panda servers.

Technical evaluation

MQsTTang is a barebones backdoor that enables the attacker to execute arbitrary instructions on a sufferer’s machine and get the output. Even so, it does current some attention-grabbing traits. Chief amongst these is its use of the MQTT protocol for C&C communication. MQTT is often used for communication between IoT units and controllers, and the protocol hasn’t been utilized in many publicly documented malware households. One such instance is Chrysaor, often known as Pegasus for Android. From an attacker’s perspective, certainly one of MQTT’s advantages is that it hides the remainder of their infrastructure behind a dealer. Thus, the compromised machine by no means communicates instantly with the C&C server. As seen in Determine 2, this functionality is achieved through the use of the open supply QMQTT library. This library is dependent upon the Qt framework, a big a part of which is statically linked within the malware. Utilizing the Qt framework for malware improvement can also be pretty unusual. Lazarus’s MagicRAT is likely one of the uncommon just lately documented examples.

Determine 2. RTTI exhibiting lessons from the QMQTT library

MQsTTang is distributed in RAR archives which solely include a single executable. These executables often have names associated to Diplomacy and passports similar to:

  • CVs Amb Officer PASSPORT Ministry Of Overseas Affairs.exe
  • Paperwork members of delegation diplomatic from Germany.Exe
  • PDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXE
  • Word No.18-NG-23 from Embassy of Japan.exe

These archives are hosted on an online server with no related area title. This reality, together with the filenames, leads us to consider that the malware is unfold through spearphishing.

To this point, now we have solely noticed a number of samples. Apart from variations in some constants and hardcoded strings, the samples are remarkably comparable. The one notable change is the addition of some anti-analysis methods within the newest variations. The primary of those consists of utilizing the CreateToolhelp32Snapshot Home windows API operate to iterate by way of working processes and search for the next recognized debuggers and monitoring instruments.

  • cheatengine-x86_64.exe
  • ollydbg.exe
  • ida.exe
  • ida64.exe
  • radare2.exe
  • x64dbg.exe
  • procmon.exe
  • procmon64.exe
  • procexp.exe
  • processhacker.exe
  • pestudio.exe
  • systracerx32.exe
  • fiddler.exe
  • tcpview.exe

Word that, whereas the malware is a 32-bit executable, it solely checks for the presence of x64dbg and never its 32-bit counterpart, x32dbg.

The second approach makes use of the FindWindowW Home windows API to search for the next Window Courses and Titles utilized by recognized evaluation instruments:

  • PROCMON_WINDOW_CLASS
  • OLLYDBG
  • WinDbgFrameClass
  • OllyDbg – [CPU]
  • Immunity Debugger – [CPU]

When executed instantly, the malware will launch a duplicate of itself with 1 as a command line argument. That is repeated by the brand new course of, with the argument being incremented by 1 on each run. When this argument hits particular values, sure duties will likely be executed. Word that the precise values range between samples; those talked about beneath correspond to the pattern with SHA-1 02D95E0C369B08248BFFAAC8607BBA119D83B95B. Nevertheless, the duties themselves and the order wherein they’re executed is fixed.

Determine 3 reveals an outline of this conduct together with the duties which are executed when the malware is first run.

Determine 3. Execution graph exhibiting the subprocesses and executed duties

Desk 1 incorporates a listing of the duties and the worth at which every of them is executed. We’ll describe them in additional element within the upcoming paragraphs.

Desk 1. Duties executed by the backdoor

Job quantity Argument worth Job description
1 5 Begin C&C communication.
2 9 Create copy and launch.
3 32 Create persistence copy.
4 119 Set up persistence.
5 148 Cease recursive execution.

If any evaluation instrument or debugger is detected utilizing the methods we described beforehand, the conduct of job 1 is altered and duties 2, 3, and 4 are skipped completely.

Job 1: C&C communication

As was beforehand talked about, MQsTTang communicates with its C&C server over the MQTT protocol. All noticed samples use 3.228.54.173 as dealer. This server is a public dealer operated by EMQX, who additionally occur to be the maintainers of the QMQTT library. This could possibly be a approach to make the community site visitors appear reputable and to cover Mustang Panda’s personal infrastructure. Utilizing this public dealer additionally supplies resiliency; the service is unlikely to be taken down due to its many reputable customers and, even when the present C&C servers are banned or taken down, Mustang Panda might spin up new ones and use the identical MQTT matters with out disrupting MQsTTang’s operation.

Nevertheless, this marketing campaign is also a check case by Mustang Panda earlier than deciding whether or not to speculate the time and assets to arrange their very own dealer. That is supported by the low variety of samples we’ve noticed and the quite simple nature of MQsTTang.

As proven in Determine 4, the malware and C&C server use two MQTT matters for his or her communication. The primary one, iot/server2, is used for communication from the shopper to the server. The second is used for communication from the server to the shopper. It follows the format iot/v2/<Distinctive ID> the place <Distinctive ID> is generated by taking the final 8 bytes, in hex type, of a UUID. If any evaluation instrument is detected, server2 and v2 are respectively changed with server0 and v0. That is doubtless with the intention to keep away from tipping off defenders by completely aborting the malware’s execution early.

Determine 4. Simplified community graph of the communication between the backdoor and C&C server

All communication between the server and the shopper makes use of the identical encoding scheme. The MQTT message’s payload is a JSON object with a single attribute named msg. To generate the worth of this attribute, the precise content material is first base64 encoded, then XORed with the hardcoded string nasa, and base64 encoded once more. We’ll describe the precise format of those payloads within the related sections.

Upon first connecting to the dealer, the malware subscribes to its distinctive matter. Then, and each 30 seconds thereafter, the shopper publishes a KeepAlive message to the server’s matter. The content material of this message is a JSON object with the next format:

When the server needs to situation a command, it publishes a message to the shopper’s distinctive matter. The plaintext content material of this message is just the command to be executed. As proven in Determine 5, the shopper executes the obtained command utilizing QProcess::startCommand from the Qt framework. The output, obtained utilizing QProcess::readAllStandardOutput, is then despatched again in a JSON object with the next format:

Determine 5. Execution of obtained instructions utilizing the QProcess class

Since solely the content material of normal output is distributed again, the server is not going to obtain errors or warnings. From the server’s viewpoint, a failed command is thus indistinguishable from a command that merely produces no output except some kind of redirection is carried out.

Duties 2 and three: Copying the malware

The second and third duties are pretty comparable to one another. They copy the malware’s executable to a hardcoded path; c:userspublicvdump.exe and c:userspublicvcall.exe respectively. The filenames used are completely different for every pattern, however they’re all the time situated within the C:userspublic listing.

Within the second job, the newly created copy is then launched with the command line argument 97.

Job 4: Establishing persistence

Persistence is established by the fourth job, which creates a brand new worth qvlc set to c:userspublicvcall.exe below the HKCUSoftwareMicrosoftWindowsCurrentVersionRun registry key. It will trigger the malware to be executed on startup.

When MQsTTang is executed on startup as c:userspublicvcall.exe, solely the C&C communication job is executed.

Conclusion

The Mustang Panda marketing campaign described on this article is ongoing as of this writing. The victimology is unclear, however the decoy filenames are in keeping with the group’s different campaigns that focus on European political entities.

This new MQsTTang backdoor supplies a sort of distant shell with none of the bells and whistles related to the group’s different malware households. Nevertheless, it reveals that Mustang Panda is exploring new know-how stacks for its instruments. It stays to be seen whether or not this backdoor will turn into a recurring a part of the group’s arsenal, however it’s another instance of the group’s quick improvement and deployment cycle.

ESET Analysis affords non-public APT intelligence experiences and knowledge feeds. For any inquiries about this service, go to the ESET Threat Intelligence web page.

IoCs

Recordsdata

SHA-1 Filename Detection Description
A1C660D31518C8AFAA6973714DE30F3D576B68FC CVs Amb.rar Win32/Agent.AFBI RAR archive used to distribute MQsTTang backdoor.
430C2EF474C7710345B410F49DF853BDEAFBDD78 CVs Amb Officer PASSPORT Ministry Of Overseas Affairs.exe Win32/Agent.AFBI MQsTTang backdoor.
F1A8BF83A410B99EF0E7FDF7BA02B543B9F0E66C Paperwork.rar Win32/Agent.AFBI RAR archive used to distribute MQsTTang backdoor.
02D95E0C369B08248BFFAAC8607BBA119D83B95B PDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXE Win32/Agent.AFBI MQsTTang backdoor.
0EA5D10399524C189A197A847B8108AA8070F1B1 Paperwork members of delegation diplomatic from Germany.Exe Win32/Agent.AFBI MQsTTang backdoor.
982CCAF1CB84F6E44E9296C7A1DDE2CE6A09D7BB Paperwork.rar Win32/Agent.AFBI RAR archive used to distribute MQsTTang backdoor.
740C8492DDA786E2231A46BFC422A2720DB0279A 23 from Embassy of Japan.exe Win32/Agent.AFBI MQsTTang backdoor.
AB01E099872A094DC779890171A11764DE8B4360 BoomerangLib.dll Win32/Korplug.TH Recognized Mustang Panda Korplug loader.
61A2D34625706F17221C1110D36A435438BC0665 breakpad.dll Win32/Korplug.UB Recognized Mustang Panda Korplug loader.
30277F3284BCEEF0ADC5E9D45B66897FA8828BFD coreclr.dll Win32/Agent.ADMW Recognized Mustang Panda Korplug loader.
BEE0B741142A9C392E05E0443AAE1FA41EF512D6 HPCustPartUI.dll Win32/Korplug.UB Recognized Mustang Panda Korplug loader.
F6F3343F64536BF98DE7E287A7419352BF94EB93 HPCustPartUI.dll Win32/Korplug.UB Recognized Mustang Panda Korplug loader.
F848C4F3B9D7F3FE1DB3847370F8EEFAA9BF60F1 libcef.dll Win32/Korplug.TX Recognized Mustang Panda Korplug loader.

Community

IP Area Internet hosting supplier First seen Particulars
3.228.54.173 dealer.emqx.io Amazon.com, Inc. 2020-03-26 Reliable public MQTT dealer.
80.85.156[.]151 N/A Chelyabinsk-Sign LLC 2023-01-05 MQsTTang supply server.
80.85.157[.]3 N/A Chelyabinsk-Sign LLC 2023-01-16 MQsTTang supply server.
185.144.31[.]86 N/A Abuse-C Position 2023-01-22 MQsTTang supply server.

Github repositories

  • https://uncooked.githubusercontent[.]com/YanNaingOo0072022/14/major/Paperwork.rar
  • https://uncooked.githubusercontent[.]com/YanNaingOo0072022/ee/major/CVs Amb.rar

MITRE ATT&CK methods

This desk was constructed utilizing version 12 of the MITRE ATT&CK framework.

Tactic ID Identify Description
Useful resource Growth T1583.003 Purchase Infrastructure: Digital Non-public Server Some servers used within the marketing campaign are on shared internet hosting.
T1583.004 Purchase Infrastructure: Server Some servers used within the marketing campaign appear to be unique to Mustang Panda.
T1587.001 Develop Capabilities: Malware MQsTTang is a customized backdoor, most likely developed by Mustang Panda.
T1588.002 Receive Capabilities: Device A number of reputable and open- supply instruments, together with psexec, ps, curl, and plink, had been discovered on the staging server.
T1608.001 Stage Capabilities: Add Malware MQsTTang was uploaded to the net server for distribution.
T1608.002 Stage Capabilities: Add Device A number of instruments had been uploaded to an FTP server.
Preliminary Entry T1566.002 Phishing: Spearphishing Hyperlink MQsTTang is distributed through spearphishing hyperlinks to a malicious file on an attacker-controlled internet server.
Execution T1106 Native API MQsTTang makes use of the QProcess class from the Qt framework to execute instructions.
T1204.002 Consumer Execution: Malicious File MQsTTang depends on the person to execute the downloaded malicious file.
Persistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder MQsTTang persists by making a registry Run key.
Protection Evasion T1036.004 Masquerading: Masquerade Job or Service In most samples, the registry key’s created with the title qvlc. This matches the title of a reputable executable utilized by VLC.
T1036.005 Masquerading: Match Reliable Identify or Location When creating copies, MQsTTang makes use of filenames of reputable packages.
T1480 Execution Guardrails MQsTTang checks the paths it’s executed from to find out which duties to execute.
T1622 Debugger Evasion MQsTTang detects working debuggers and alters its conduct if any are discovered to be current.
Command and Management T1071 Software Layer Protocol MQsTTang communicates with its C&C server utilizing the MQTT protocol.
T1102.002 Net Service: Bidirectional Communication MQsTTang makes use of a reputable public MQTT dealer.
T1132.001 Information Encoding: Customary Encoding The content material of the messages between the malware and server is base64 encoded.
T1573.001 Encrypted Channel: Symmetric Cryptography The content material of the messages between the malware and server is encrypted utilizing a repeating XOR key.
Exfiltration T1041 Exfiltration Over C2 Channel The output of executed instructions is distributed again to the server utilizing the identical protocol.