📢 The new #MQTTang backdoor is capable of evading detection, making it an even bigger threat to victims.

https://hackread.com/chinese-hackers-mqsttang-backdoor/

#Security #mustangpanda #China #Malware

📢 The new #MQTTang backdoor is capable of evading detection, making it an even bigger threat to victims.

Details: https://www.hackread.com/chinese-hackers-mqsttang-backdoor/

#Security #mustangpanda #China #Malware

MQsTTang, a new #backdoor used by #MustangPanda #APT against European entities
https://securityaffairs.com/142961/apt/mustang-panda-mqsttang-backdoor.html
#securityaffairs #hacking #China

#ESETResearch analyzed a new #MustangPanda backdoor. It uses the open-source QMQTT library to communicate with its C&C server over #MQTT so we named it MQsTTang. This library depends on parts of the Qt framework, statically linked in the executable. https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/

A sample of MQsTTang was identified by @Unit42_Intel@twitter.com on 2023-02-17. As stated in that thread, the backdoor uses the legitimate MQTT broker 3.228.54.173. This has the benefit of hiding their actual C&C servers from victims and analysts. https://twitter.com/Unit42_Intel/status/1626613722700472320

This malware family is also tracked as "Kumquat" by @threatinsight@twitter.com: https://twitter.com/aRtAGGI/status/1628067706443374592

Like in previous #MustangPanda campaigns, filenames related to politics and diplomacy are used to lure targets. These include:
- CVs Amb Officer PASSPORT Ministry Of Foreign Affairs.exe
- Documents members of delegation diplomatic from Germany.Exe
- PDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXE

IoCs:
📄 SHA-1
02D95E0C369B08248BFFAAC8607BBA119D83B95B
430C2EF474C7710345B410F49DF853BDEAFBDD78
0EA5D10399524C189A197A847B8108AA8070F1B1
740C8492DDA786E2231A46BFC422A2720DB0279A
🚨 ESET Detection Name
Win32/Agent.AFBI trojan
🌐 Servers
80.85.156[.]151
80.85.157[.]3
185.144.31[.]86

@ESETresearch

Today: @ESETresearch analyzed a new #MustangPanda backdoor, which communicates via the MQTT protocol. Check it out 👇​

https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/

EU-Cyber-Sicherheitsbehörden warnen vor chinesischen Cybergangs | heise online https://www.heise.de/news/EU-Cyber-Sicherheitsbehoerden-warnen-vor-chinesischen-Cybergangs-7522269.html #Hacking #CyberCrime #APT27 #APT30 #APT31 #Ke3chang #Gallium #MustangPanda #China

From @Unit42_Intel@twitter.com

https://twitter.com/Unit42_Intel/status/1626613722700472320?s=20

4936b873cfe066ec5efce01ef8fb1605f8bc29a98408a13bc8fe4462b2f09c5a

https://www.virustotal.com/gui/file/4936b873cfe066ec5efce01ef8fb1605f8bc29a98408a13bc8fe4462b2f09c5a

#MustangPanda

We were originally going to present more, but given the context and the timeframe we were given, I didn't have a lot of time to delve deeper into the subject matter. Otherwise, we would have liked to touch on things like the evolution of their encoding & decoding methods over time, as well as the ever-evolutionizng obfuscation methods (nothing ground-breaking if you're already familiar with ollvm and other common obfuscation methods), the use of the launchers, payload name, invokation methods, and so many more.

The gist of it is we had been on their tail for a decently long time, including monitoring and hunting PlugDisk (USB-enabled data exfilitration PlugX variant) and its predecessor UDiskShell, identifying the then-new EU-specific target back in late 2021, and many more - they are aware that many threat intelligence groups are investigating them and are continuing to avoid having their samples analyzed. Speaking of, one of the things I didn't have time to include is that #MustangPanda is also now splitting up the encoded payload to a different path from the loader, attempting to prevent victims from simply zipping the suspected folder and submitting it to VT.

also hi my brief 10-minute report on #MustangPanda announced at JSAC2023 is now on the Malpedia corpus

https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx

ecb1650d5f548f10be47aaa84f7546c0
Summary MSs reporting - recommendationl .zip
#MustangPanda may have changed the config storage method - the XOR-encoded config block is no longer present in the resulting PE. Investigation required.

potential #mustangpanda 592ec4ded7cc5ae2cfe46a51f4e681c1

#RedDelta / #MustangPanda have expanded to using ISO files in addition to RAR and ZIP files.

Also, the config decryption key changed to jOh752oCI for their more recent variants of #plugx.

https://go.recordedfuture.com/hubfs/reports/cta-2022-1223.pdf

Looks like #MustangPanda had been busy sneaking around all over TW/HK. This one actually slipped through the radar for me, given the threat group doesn't target Taiwan that often.

#APT

"Chinese Hackers Using Russo-Ukrainian War Decoys to Target APAC and European Entities"

#MustangPanda #APT #cyberattack #cybercrime #cyberwar #cyberespionage
#spearphishing / #PUBLOAD #TONEINS #TONESHELL #malware

https://thehackernews.com/2022/12/chinese-hackers-using-russo-ukrainian.html

"Chinese Hackers Using Russo-Ukrainian War Decoys to Target APAC and European Entities"

#MustangPanda #APT #cyberattack #cybercrime #cyberwar #cyberespionage
#spearphishing / #PUBLOAD #TONEINS #TONESHELL #malware

https://thehackernews.com/2022/12/chinese-hackers-using-russo-ukrainian.html

#MustangPanda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets
#apt #Ukraine

https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets

“Political Guidance for the new EU approach towards Russia.rar”.

Read the research from #AvastThreatLabs team that describes a vast collection of tools, presumably used by the #MustangPanda #APT group & exfiltrated stolen data. Make some coffee and dive into #AvastDecoded blog:
https://decoded.avast.io/threatintel/apt-treasure-trove-avast-suspects-chinese-apt-group-mustang-panda-is-collecting-data-from-burmese-government-agencies-and-opposition-groups/

Interesting blog post from TrendMicro about spear-phishing attacks targeting governments by #MustangPanda.

https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html

Mustang Panda el malspam que sigue infectando organizaciones.
#Ciberseguridad #spam #mustangpanda #malware #IOCs
https://simodef.com/2022/11/22/mustang-panda-el-malspam-que-no-para/

#MustangPanda #APT:
It uses legitimate Microsoft Suite Integration Toolkit executable to side load the PlugX payload.

Archive file:
865d2582e7ae2a13f363ab5cdb60da9c

Payload:
dlmgr.dll
8251d2c698028db64583971760c7f3f0

C2:
98.142.251.29