MQsTTang Backdoor Detection: New Custom Malware by Mustang Panda APT Actively Used in the Latest Campaign Against Government Entities
Table of contents:
New day, new malicious threat challenging cyber defenders! Recently, security researchers have revealed a novel malware strain being actively leveraged by Mustang Panda APT in their ongoing campaign against targets in Europe and Asia. Dubbed MQsTTang, the new custom backdoor has been developed from scratch to fly under the radar and make attribution harder while attacking government and political entities of the attackers’ interest.
MQsTTang Backdoor Detection
To spot the malicious activity at the earliest stages of the attack development and proactively defend the organizational infrastructure from potential MQsTTang infections, security perfromers can leverage a set of Sigma rules available in SOC Prime’s Platform for collective cyber defense.
The first rule developed by our keen Threat Bounty member Aytek Aytemur identifies malicious DLLs related to MQsTTang backdoor. The detection can be applied across 20+ SIEM, EDR, and XDR platforms and is mapped to the MITRE ATT&CK framework v12 addressing Execution and Defense Evasion tactics, with User Execution (T1204) and Process Injection (T1055) as corresponding techniques.
The second rule by seasoned Threat Bounty developer Mustafa Gurkan KARAKAYA identifies persistence activities of the MQsTTang via adding a registry key. The rule is compatible with 15+ SIEM, EDR, and XDR solutions and mapped to MITRE ATT&CK v12 addressing the Defense Evasion tactic with Modify Registry (T1112) as a primary technique.
Eager to master your Detection engineering skills while contributing to the world’s safety? Join the forces of crowdsourced content development via the Threat Bounty Program to help the global cyber defender community stay ahead of attackers. Write your own Sigma rules tagged with ATT&CK, get them published to SOC Prime Platform, and earn both money and recognition from your industry peers.
Press the Explore Detections button below and immediately drill down to the full collection of Sigma rules to detect tools and attack techniques associated with the Mustang Panda APT collective. All the detection algorithms are accompanied by the corresponding ATT&CK references, threat intelligence links, and other relevant metadata.
MQsTTang Backdoor Analysis
Mustang Panda APT (aka TA416, Bronze President) is an APT collective of Chinese origin well-known for its PlugX malware family frequently used in data dumping operations.
The latest inquiry by ESET reveals the presence of a novel backdoor making rounds in the malicious arena since at least January 2023. The new threat seems to be developed from scratch, without any code overlaps with older samples, so adversaries can easily slip past security protections during the new malicious operations.
The very first MQsTTang campaign was launched at the beginning of 2023, and it is still ongoing targeting govt and diplomatic entities across Europe and Asia. The attack kill chain typically starts with a phishing email dropping a malicious payload. Executables are dropped in the form of RAR archives disguised as scans of passports of diplomatic mission members, embassy notes, or similar baits.
Once executed, the malware creates a copy of itself with a command line argument that performs a variety of malicious tasks, such as launching command-and-control (C2) communications, ensuring persistence, etc.
Notably, MQsTTang relies on the MQTT protocol for C2 communications. Such an approach ensures resilience to C2 takedowns and masquerades adversaries’ infrastructure by routing all communications through a broker. Also, using MQTT allows attackers to evade detection since security practitioners tend to look for more common C2 protocols while investigating incidents.
Stay ahead of adversaries with curated Sigma rules against any current or emerging APT attacks. 900+ rules for APT-related tools and attacks are right at hand! Get 200+ for free or reach all relevant detection content with On-Demand at my.socprime.com/pricing.