Mustang Panda and the Rise of Custom Malware Usage by Chinese State-Sponsored Actors 

The rise of custom malware usage by Chinese state-sponsored advanced persistent threat (APT) groups is a growing concern among cybersecurity experts. This article focuses on the newly discovered backdoor called MQsTTang by the Chinese APT group, Mustang Panda. MQsTTang is a single-stage backdoor that uses MQTT for command-and-control (C2) communications, which is an unusual choice for APT groups. The article also highlights the trend of Chinese APT groups using custom malware, and the implications of this trend for organizations.  

Mustang Panda, a Chinese APT group (also known as RedDelta or BRONZE PRESIDENT), has been observed using a new custom backdoor called MQsTTang as part of an ongoing social engineering campaign that targets European political organizations. MQsTTang was discovered by researchers at ESET in January 2023 and is a minimal, single-stage backdoor that allows for executing arbitrary commands received from a remote server. 

One unusual aspect of the MQsTTang implant is its use of an Internet of Things (IoT) messaging protocol called MQTT for C2 communications, which is achieved using an open-source library called QMQTT. The use of MQTT for C2 communications is a departure from the group’s previous techniques and may make it more difficult for security solutions to detect and block the backdoor. The development of MQsTTang suggests that Mustang Panda is continuing to invest in the development of custom malware that can be tailored to specific campaigns and objectives. 

Historically, Mustang Panda has used a remote access trojan (RAT) called PlugX to achieve its objectives. PlugX is a modular RAT that allows the attacker to take complete control of an infected system. However, in recent years, the group has expanded its malware arsenal to include custom tools such as TONEINS, TONESHELL, and PUBLOAD. The use of custom malware allows the group to evade detection by security solutions that can recognize existing malware families. 

In December 2022, Avast reported on attacks aimed at government agencies and political non-governmental organizations (NGOs) in Myanmar that used a variant of the PlugX remote access trojan called Hodur, and a Google Drive uploader utility to exfiltrate sensitive data. A File Transfer Protocol (FTP) server linked to the threat actor was also discovered to host previously undocumented tools used to distribute malware, including a Go-based trojan called JSX and a sophisticated backdoor referred to as HT3. The discovery of MQsTTang suggests a continuation of the trend of APT groups using custom malware and exploring new technology stacks for their tools. 

What is Driving this Trend and Implications 

Chinese state-sponsored APT groups such as Mustang Panda are increasingly using custom malware and exploring new technology stacks for their tools. This trend is driven by the need to evade detection by security solutions and the desire to achieve more sophisticated capabilities. The implications of this trend for organizations that may be targeted by these groups include the need for greater investment in advanced threat detection and response capabilities, increased collaboration and information sharing between organizations, and the implementation of network segmentation and other security measures. As APT groups continue to evolve and adapt their tactics, organizations must remain vigilant and adapt their defenses accordingly. 

Furthermore, this trend is driven by the desire to achieve more advanced capabilities, such as the ability to steal data from air-gapped networks, which requires a high level of sophistication and knowledge of the target network’s architecture. Custom malware allows APT groups to create malware that is specifically designed to achieve these types of capabilities, making it more difficult for security solutions to detect and block their activities. 

This trend of Chinese state-sponsored APT groups using custom malware and exploring new technology stacks for their tools has significant implications for organizations that may be targeted by these groups. Traditional security solutions such as antivirus software and firewalls may not be enough to detect and respond to custom malware. Organizations need to invest in advanced threat detection and response capabilities such as endpoint detection and response (EDR), network traffic analysis (NTA), and threat hunting. These capabilities can help organizations detect and respond to advanced threats such as custom malware. 

Another implication of this trend is the need for greater collaboration and information sharing between organizations. APT groups often target multiple organizations in the same industry or sector, and the knowledge gained by one organization can be used to protect others. This requires organizations to share threat intelligence with each other, which can be challenging due to concerns about sharing sensitive information. However, there are several initiatives and platforms that facilitate the sharing of threat intelligence between organizations, such as the Cyber Threat Alliance (CTA), the Information Sharing and Analysis Center (ISAC), and various government-run information sharing programs. 

Steps to Defend your Organization Against State-Sponsored APT Groups 

In addition to investing in advanced threat detection and response capabilities, and collaborating with other organizations, there are several other steps that organizations can take to defend against Chinese state-sponsored APT groups. One step is to implement network segmentation, which involves dividing the network into smaller, isolated segments that are separated by firewalls or other network security devices. This can limit the impact of a potential breach by preventing the attacker from moving laterally across the network. Another step is to restrict the use of certain protocols, such as MQTT, that are commonly used by APT groups for C2 communications. This can be achieved through network access control (NAC) or other security policies. 

As APT groups continue to evolve and adapt their tactics, organizations must remain vigilant and adapt their defenses accordingly. The trend of Chinese state-sponsored APT groups using custom malware and exploring new technology stacks for their tools is likely to continue, making it imperative for organizations to stay ahead of the curve in terms of their security posture. By investing in advanced threat detection and response capabilities, collaborating with other organizations, and implementing effective security measures, organizations can better protect themselves from the growing threat of APT groups like Mustang Panda. 

As Chinese APT groups continue to use custom malware and explore new technology stacks for their tools, organizations must invest in advanced threat detection and response capabilities such as EDR and NTA. Implementing network segmentation and restricting the use of certain protocols can also help defend against APT groups. Additionally, greater collaboration and information sharing between organizations in the same industry or sector can help protect against APT groups that target multiple organizations. As the threat landscape continues to evolve, organizations must remain vigilant and adapt their defenses accordingly. For more information on emerging threats, follow our Cyber Threat Intelligence (CTI) team’s Threat Intelligence Hub and Threat Research pages.