#ESETResearch analyzed a new #MustangPanda backdoor. It uses the open-source QMQTT library to communicate with its C&C server over #MQTT so we named it MQsTTang. This library depends on parts of the Qt framework, statically linked in the executable. https://www.welivesecurity.com/2023/03/02/mqsttang-mustang-panda-latest-backdoor-treads-new-ground-qt-mqtt/

A sample of MQsTTang was identified by @Unit42_Intel@twitter.com on 2023-02-17. As stated in that thread, the backdoor uses the legitimate MQTT broker 3.228.54.173. This has the benefit of hiding their actual C&C servers from victims and analysts. https://twitter.com/Unit42_Intel/status/1626613722700472320

This malware family is also tracked as "Kumquat" by @threatinsight@twitter.com: https://twitter.com/aRtAGGI/status/1628067706443374592

Like in previous #MustangPanda campaigns, filenames related to politics and diplomacy are used to lure targets. These include:
- CVs Amb Officer PASSPORT Ministry Of Foreign Affairs.exe
- Documents members of delegation diplomatic from Germany.Exe
- PDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXE

IoCs:
📄 SHA-1
02D95E0C369B08248BFFAAC8607BBA119D83B95B
430C2EF474C7710345B410F49DF853BDEAFBDD78
0EA5D10399524C189A197A847B8108AA8070F1B1
740C8492DDA786E2231A46BFC422A2720DB0279A
🚨 ESET Detection Name
Win32/Agent.AFBI trojan
🌐 Servers
80.85.156[.]151
80.85.157[.]3
185.144.31[.]86

@ESETresearch

RT @ESETresearch
#ESETresearch discovered and reported to the manufacturer three buffer overflow vulnerabilities in UEFI firmware of several #Lenovo Notebook devices, affecting more than 70 various models including several ThinkBook models. @smolar_m 1/6

RT @ESETresearch
#ESETresearch discovered three high-impact UEFI vulnerabilities affecting Lenovo consumer laptops. Their exploitation would allow attackers to deploy and successfully execute UEFI malware, such as LoJax or ESPecter, on the affected devices. @smolar_m https://www.welivesecurity.com/2022/04/19/when-secure-isnt-secure-uefi-vulnerabilities-lenovo-consumer-laptops/ 1/7

RT @ESETresearch@twitter.com

#ESETresearch discovered an SFile #ransomware variant for the FreeBSD platform, targeting a partially state-owned company in 🇨🇳#China. It encrypts files with the following file extensions @cherepanov74@twitter.com 1/3

🐦🔗: https://twitter.com/ESETresearch/status/1473282562420269056

I wonder how many reversers were owned because they used a pirate version of IDA
https://twitter.com/ESETresearch/status/1458438155149922312

RT @ESETresearch@twitter.com

#ESETresearch discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group. Attackers bundled the original IDA Pro 7.5 software developed by @HexRaysSA@twitter.com with two malicious components. @cherepanov74@twitter.com 1/5

🐦🔗: https://twitter.com/ESETresearch/status/1458438155149922312

I wonder how many reversers were owned because they used a pirate version of IDA
https://twitter.com/ESETresearch/status/1458438155149922312

RT @ESETresearch@twitter.com

#ESETresearch discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group. Attackers bundled the original IDA Pro 7.5 software developed by @HexRaysSA@twitter.com with two malicious components. @cherepanov74@twitter.com 1/5

🐦🔗: https://twitter.com/ESETresearch/status/1458438155149922312

LOOOOOOOOOOOOOOOOOOOOOL!

RT @ESETresearch@twitter.com

#ESETresearch discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group. Attackers bundled the original IDA Pro 7.5 software developed by @HexRaysSA@twitter.com with two malicious components. @cherepanov74@twitter.com 1/5

🐦🔗: https://twitter.com/ESETresearch/status/1458438155149922312

LOOOOOOOOOOOOOOOOOOOOOL!

RT @ESETresearch@twitter.com

#ESETresearch discovered a trojanized IDA Pro installer, distributed by the #Lazarus APT group. Attackers bundled the original IDA Pro 7.5 software developed by @HexRaysSA@twitter.com with two malicious components. @cherepanov74@twitter.com 1/5

🐦🔗: https://twitter.com/ESETresearch/status/1458438155149922312