MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT

MITRE Techniques

• [T1583.003] Acquire Infrastructure: Virtual Private Server – Some servers used in the campaign are on shared hosting. ‘Some servers used in the campaign are on shared hosting.’
• [T1583.004] Acquire Infrastructure: Server – Some servers used in the campaign seem to be exclusive to Mustang Panda. ‘Some servers used in the campaign seem to be exclusive to Mustang Panda.’
• [T1587.001] Develop Capabilities: Malware – MQsTTang is a custom backdoor, probably developed by Mustang Panda. ‘MQsTTang is a custom backdoor, probably developed by Mustang Panda.’
• [T1588.002] Obtain Capabilities: Tool – Multiple legitimate and open- source tools, including psexec, ps, curl, and plink, were found on the staging server. ‘Multiple legitimate and open- source tools, including psexec, ps, curl, and plink, were found on the staging server.’
• [T1608.001] Stage Capabilities: Upload Malware – MQsTTang was uploaded to the web server for distribution. ‘MQsTTang was uploaded to the web server for distribution.’
• [T1608.002] Stage Capabilities: Upload Tool – Multiple tools were uploaded to an FTP server. ‘Multiple tools were uploaded to an FTP server.’
• [T1566.002] Phishing: Spearphishing Link – MQsTTang is distributed via spearphishing links to a malicious file on an attacker-controlled web server. ‘MQsTTang is distributed via spearphishing links to a malicious file on an attacker-controlled web server.’
• [T1106] Native API – MQsTTang uses the QProcess class from the Qt framework to execute commands. ‘MQsTTang uses the QProcess class from the Qt framework to execute commands.’
• [T1204.002] User Execution: Malicious File – MQsTTang relies on the user to execute the downloaded malicious file. ‘MQsTTang relies on the user to execute the downloaded malicious file.’
• [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – MQsTTang persists by creating a registry Run key. ‘persistence by creating a registry Run key.’
• [T1036.004] Masquerading: Masquerade Task or Service – In most samples, the registry key is created with the name qvlc. This matches the name of a legitimate executable used by VLC. ‘the registry key is created with the name qvlc. This matches the name of a legitimate executable used by VLC.’
• [T1036.005] Masquerading: Match Legitimate Name or Location – When creating copies, MQsTTang uses filenames of legitimate programs. ‘When creating copies, MQsTTang uses filenames of legitimate programs.’
• [T1480] Execution Guardrails – MQsTTang checks the paths it is executed from to determine which tasks to execute. ‘MQsTTang checks the paths it is executed from to determine which tasks to execute.’
• [T1622] Debugger Evasion – MQsTTang detects running debuggers and alters its behavior if any are found to be present. ‘MQsTTang detects running debuggers and alters its behavior if any are found to be present.’
• [T1071] Application Layer Protocol – MQsTTang communicates with its C&C server using the MQTT protocol. ‘MQsTTang communicates with its C&C server using the MQTT protocol.’
• [T1102.002] Web Service: Bidirectional Communication – MQsTTang uses a legitimate public MQTT broker. ‘MQsTTang uses a legitimate public MQTT broker.’
• [T1132.001] Data Encoding: Standard Encoding – The content of the messages between the malware and server is base64 encoded. ‘The content of the messages between the malware and server is base64 encoded.’
• [T1573.001] Encrypted Channel: Symmetric Cryptography – The content of the messages between the malware and server is encrypted using a repeating XOR key. ‘encrypted using a repeating XOR key.’
• [T1041] Exfiltration: Exfiltration Over C2 Channel – The output of executed commands is sent back to the server using the same protocol. ‘The output of executed commands is sent back to the server using the same protocol.’