Category Archives: Intelligence

New Bad Magic APT used CommonMagic framework in the area of Russo-Ukrainian conflict

Threat actors are targeting organizations located in Donetsk, Lugansk, and Crimea with a previously undetected framework dubbed CommonMagic.

In October 2022, Kaspersky researchers uncovered a malware campaign aimed at infecting government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions with a previously undetected framework dubbed CommonMagic.

Researchers believe that threat actors use spear phishing as an initial attack vector, the messages include an URL pointing to a ZIP archive hosted on a web server under the control of the attackers. The archive contained two files, a decoy document (i.e. PDF, XLSX and DOCX versions) and a malicious LNK file with a double extension (i.e., .pdf.lnk) used to start the infection and deploy the PowerMagic backdoor.

Malicious ZIP archive (Source Kaspersky)

Kaspersky attributes the attack to a new APT group operating in the area of Russo-Ukrainian conflict and tracked as Bad magic.

The experts noticed that TTPs observed during this campaign have no direct link to any known campaigns.

PowerMagic is a PowerShell backdoor that executes arbitrary commands sent by C2, then it exfiltrates data to cloud services like Dropbox and Microsoft OneDrive.

“When started, the backdoor creates a mutex – WinEventCom. Then, it enters an infinite loop communicating with its C&C server, receiving commands and uploading results in response. It uses OneDrive and Dropbox folders as transport, and OAuth refresh tokens as credentials.” reads the report published by Kaspersky.

The threat actor likely used the PowerMagic backdoor to deliver the modular CommonMagic framework.

Each module of the CommonMagic framework is used to perform a certain task, such as communicating with the C2 server, encrypting and decrypting C2 traffic, and executing plugins.

Kaspersky analyzed two plugins respectively used to capture screenshots every three seconds and collects the contents of the files with the following extensions from connected USB devices: .doc, .docx. .xls, .xlsx, .rtf, .odt, .ods, .zip, .rar, .txt, .pdf.

“So far, we have found no direct links between the samples and data used in this campaign and any previously known actors.” concludes the report. “However, the campaign is still active, and our investigation continues. So, we believe that further discoveries may reveal additional information about this malware and the threat actor behind it.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CommonMagic)

2022 Zero-Day exploitation continues at a worrisome pace

Experts warn that 55 zero-day vulnerabilities were exploited in attacks carried out by ransomware and cyberespionage groups in 2022.

Cybersecurity firm Mandiant reported that ransomware and cyberespionage groups exploited 55 zero-day flaws in attacks in the wild.

Most of the zero-day vulnerabilities were in software from Microsoft, Google, and Apple.

The figures show a decrease from 2021, but experts pointed out that they represent almost triple the number from 2020.

The majority of the zero-day vulnerabilities were exploited by China-linked threat actors as part of their cyberespionage campaigns.

The researchers reported that only four zero-day vulnerabilities were exploited by financially motivated threat actors, with 75% of these instances linked to ransomware attacks.

“Products from Microsoft, Google, and Apple made up the majority of zero-day vulnerabilities in 2022, consistent with previous years. The most exploited product types were operating systems (OS) (19), followed by browsers (11), security, IT, and network management products (10), and mobile OS (6). ” reads the report published by Mandiant.

According to the report, 13 zero-days in 2022 were exploited by cyber espionage groups, a figure that is consistent with 2021. Seven zero-days (CVE-2022-24682CVE-2022-1040CVE-2022-30190CVE-2022-26134CVE-2022-42475CVE-2022-27518, and CVE-2022-41328) were exploited in attacks in the wild by China-linked cyberespionage groups, while two zero-day vulnerabilities were exploited by suspected North Korea-linked APT groups.

“We identified four zero-day vulnerabilities for which we could attribute exploitation by financially motivated threat actors, a quarter of the total 16 zero-days for which we could determine a motivation for exploitation. 75% of these instances appear to be linked to ransomware operations, consistent with 2021 and 2019 data in which ransomware groups exploited the highest volume of zero-day vulnerabilities compared to other financially motivated actors.” continues the report. “However, the overall count and proportion of the total of financially motivated zero-day exploitation declined in 2022 compared to recent years.”

Multiple China-linked APT groups exploited the vulnerability CVE-2022-30190, aka Follina, while the exploitation of FortiOS vulnerabilities CVE-2022-42475 and CVE-2022-41328 was observed in particularly notable campaigns in 2022.

Mandiant believe that there is a shared development and logistics infrastructure behind the attacks.

Mandiant also observed two instances of Russian state zero-day exploitation. A first campaign carried out by the Russia-linked APT28 group exploited the CVE-2022-30190 flaw (aka Follina) in early June 2022. A second activity is related to a months-long campaign exploiting Microsoft Exchange vulnerability CVE-2023-23397 conducted by a threat actor tracked as UNC4697 (likely linked to the APT28 group).

The experts explained that increased focus on disrupting Russian cyber operations since Russia’s invasion of Ukraine may have discouraged Russia-linked groups from widely using zero-day exploits for access they expected to lose quickly. This implies that the exploitation of the CVE-2022-30190 flaw was likely opportunistic.

“Almost all 2022 zero-day vulnerabilities (53) were exploited for the purpose of achieving either (primarily remote) code execution or gaining elevated privileges, both of which are consistent with most threat actor objectives. While information disclosure vulnerabilities can often gain attention due to customer and user data being at risk of disclosure and misuse, the extent of attacker actions from these vulnerabilities is often limited.” concludes the report. “Alternatively, elevated privileges and code execution can lead to  lateral movement across networks, causing effects beyond the initial access vector.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

China-linked APT likely linked to Fortinet zero-day attacks

An alleged Chinese threat actor group is behind attacks on government organizations exploiting a Fortinet zero-day flaw (CVE-2022-41328).

A suspected China-linked group is exploiting a Fortinet zero-day vulnerability, tracked as CVE-2022-41328, in attacks aimed at government organizations.

A few days ago, Fortinet researchers warned of an advanced threat actor that is targeting governmental or government-related entities.

The unknown threat actor is exploiting a vulnerability in Fortinet FortiOS software, tracked as CVE-2022-41328, that may allow a privileged attacker to read and write arbitrary files via crafted CLI commands.

The CVE-2022-41328 vulnerability (CVSS score: 6.5) is a path traversal issue in FortiOS can can result in arbitrary code execution.

“A improper limitation of a pathname to a restricted directory vulnerability (‘path traversal’) [CWE-22] in FortiOS may allow a privileged attacker to read and write arbitrary files via crafted CLI commands.” reads the advisory published by Fortinet.

The vulnerability impacts FortiOS versions 6.0, 6.2, 6.4.0 through 6.4.11, 7.0.0 through 7.0.9, and 7.2.0 through 7.2.3. The company addressed the vulnerability with the release of versions 6.4.12, 7.0.10, and 7.2.4 respectively.

Fortinet launched an investigation into the attacks after the FortiGate devices of one customer suddenly halted and failed to reboot. The devices halted displaying the following error message:

“System enters error-mode due to FIPS error: Firmware Integrity self-test failed”

The failure of the integrity test blocks the reboot of the device to protect the integrity of the network.

Mandiant researchers linked a series of attacks that took place in mid-2022 to a China-linked threat actor tracked as UNC3886 by the security firm.

“a suspected China-nexus threat actor likely already had access to victim environments, and then deployed backdoors onto Fortinet and VMware solutions as a means of maintaining persistent access to the environments.” reads the report published by Mandiant. “This involved the use of a local zero-day vulnerability in FortiOS (CVE-2022-41328) and deployment of multiple custom malware families on Fortinet and VMware systems.”

The attackers exploited the CVE-2022-41328 zero-day to write files to FortiGate firewall disks outside of the normal bounds allowed with shell access, then they maintained persistent access with Super Administrator privileges within FortiGate Firewalls through ICMP port knocking.

Threat actors also bypassed the firewall rules active on FortiManager devices with a passive traffic redirection utility. The attackers also used a custom API endpoint created within the device to maintain persistence ùon FortiManager and FortiAnalyzer, then disabled OpenSSL 1.1.0 digital signature verification of system files through targeted corruption of boot files.

Once compromised the Fortinet devices, the threat actors established backdoor access using two previously undocumented malware, a Python-based Thincrust backdoor disguised as legitimate API calls and the ICMP port-knocking Castletap passive backdoor.

Once obtained access to the Fortinet devices, the attackers targeted ESXi servers to deploy malicious vSphere Installation Bundles which contained VIRTUALPITA and VIRTUALPIE backdoors. This allowed the attackers to maintain persistent access to the hypervisors and execute commands on guest virtual machines.

When FortiManager was not exposed to the Internet, the threat actors deployed a traffic redirector (Tableflip) and a passive backdoor (Reptile) to circumvent the new ACLs.

“many network appliances lack solutions to detect runtime modifications made to the underlying operating system and require direct involvement of the manufacturer to collect forensic images. Cross organizational communication and collaboration is key to providing both manufacturers with early notice of new attack methods in the wild before they are made public and investigators with expertise to better shed light on these new attacks.” concludes Mandiant.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Fortinet)

Microsoft sheds light on a year of Russian hybrid warfare in Ukraine

Russia-linked threat actors targeted at least 17 European nations in 2023, and 74 countries since the start of the invasion of Ukraine.

Microsoft revealed that Russia-linked threat actors targeted at least 17 European nations between January and mid-February 2023. According to a report published by the IT giant, the state-sponsored hackers have targeted 74 countries since the start of the invasion of Ukraine. The cyber espionage operations aimed at government and defense-related organizations in Central and Eastern Europe and the Americas.

“Between January and mid-February 2023, Microsoft threat intelligence analysts have found indications of Russian threat activity against organizations in at least 17 European nations, with the government sector the most targeted.” reads the report published by Microsoft. “While these actions are most likely intended to boost intelligence collection against organizations providing political and material support to Ukraine, they could also, if directed, inform destructive operations.”

The report also states that the Russia-linked APT group IRIDIUM appears to be preparing for a renewed destructive campaign. The group could target Ukraine with destructive malware such as Foxblade and Caddywiper. The experts also reported that as of late 2022, the state actor may also have been testing additional malware with similar capabilities in destructive attacks on organizations outside Ukraine that serve key functions in Ukraine’s supply lines.

Sandworm (aka BlackEnergy and TeleBots) has been active since 2000, it operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST).

The group is also the author of the NotPetya ransomware that hit hundreds of companies worldwide in June 2017, causing billions worth of damage.

In April, Sandworm targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2) and a new version of the CaddyWiper wiper.

The APT hacking group is believed to have been behind numerous attacks this year, including an attack on Ukrainian energy infrastructure and the deployment of a persistent botnet called “Cyclops Blink” dismantled by the US government in April.

The most targeted countries since February 2022 are the United States (21%), followed by Poland (10%) and the UK (9%).  The most targeted sectors outside Ukraine since Feb 2022 are government, IT/communications, and Think Tank/NGO.

“Within the 74 countries targeted by Russian threat actors between February 23, 2022 and February 7 of this year, Russian threat actors were most interested in government and IT sector organizations, just as they were in Ukraine. Several actors compromise IT firms to exploit trusted technical relationships and gain access to those firms’ clients in government, policy, and other sensitive organizations.” continues the report.

Microsoft reported that common tactics and techniques adopted by Russia-linked actors to breach the target networks have included the exploitation of internet-facing applications, backdoored pirated software, and ubiquitous spearphishing.

“Should Russia suffer more setbacks on the battlefield, Russian actors may seek to expand their targeting of military and humanitarian supply chains by pursuing destructive attacks beyond Ukraine and Poland. These possible cyberattacks, should the last year’s pattern continue, may incorporate newer destructive malware variants as well.Should Russia suffer more setbacks on the battlefield, Russian actors may seek to expand their targeting of military and humanitarian supply chains by pursuing destructive attacks beyond Ukraine and Poland.” concludes the report. “These possible cyberattacks, should the last year’s pattern continue, may incorporate newer destructive malware variants as well.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)

Polish intelligence dismantled a network of Russian spies

Polish intelligence dismantled a cell of Russian spies that gathered info on military equipment deliveries to Ukraine via the EU member.

Polish counter-intelligence has dismantled a cell of Russian spies that gathered information on the provisioning of military equipment to Ukraine via the EU member.

“The ABW counter-intelligence agency has arrested nine people suspected of working for the Russian secret service,” Poland’s Interior Minister Mariusz Kaminski told reporters. “The suspects had been conducting espionage activities against Poland and preparing acts of sabotage on behalf of Russian intelligence services.”

The suspects are “foreigners from across Poland’s eastern border,” Kaminski added.

Polish Defense Minister Mariusz Blaszczak also confirmed that the network has been dismantled by the country’s counter-intelligence.

Polish authorities charged six suspects with espionage and participation in an organized criminal group. The other three individuals arrested by the authorities were still being questioned. The member of the spy network received regular payment from the Russian secret services.

Kaminski also added that the cell was planning acts of sabotage to interfere with the delivery of military equipment and aid to Ukraine. The group was also involved in carrying out propaganda activity to destabilize Polish-Ukrainian relations as well as fomenting anti-NATO sentiment in Poland.

“The suspects had also been preparing acts of sabotage meant to paralyze the delivery of military equipment, arms, and Ukraine aid,” Kaminski declared.

The agents of the Polish Internal Security Agency ABW seized electronic equipment and GPS transmitters that once installed on trains carrying aid to Ukraine allowed Russian intelligence to track the shipments.

Local media, such as the Polish radio station RMF, reported that the spies installed hidden cameras on important railway routes and junctions, recording and transmitting data on traffic.

The Polish intelligence fears sabotage operations against railroads and critical infrastructure involved in the provisioning of military equipment to Ukraine.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Polish intelligence)

Russia-linked APT29 abuses EU information exchange systems in recent attacks

Russia-linked APT29 group abused the legitimate information exchange systems used by European countries to target government entities.

Russia-linked APT29 (aka SVR groupCozy BearNobelium, and The Dukes) was spotted abusing the legitimate information exchange systems used by European countries in attacks aimed at governments.

In early March, BlackBerry researchers uncovered a new cyber espionage campaign aimed at EU countries. The hackers targeted diplomatic entities and systems transmitting sensitive information about the region’s politics, aiding Ukrainian citizens fleeing the country, and providing help to the government of Ukraine.

The attack chain commences with a spear-phishing email containing a weaponized document, which contains a link leading to the download of an HTML file.

The HTLM files are hosted on a legitimate online library website that was likely compromised by the threat actors sometime between the end of January 2023 and the beginning of February 2023.

“One of the lures appeals to those who want to find out the Poland Ambassador’s schedule for 2023. It overlaps with Ambassador Marek Magierowski’s recent visit to the United Statesp; specifically, his talk on February 2, where he discussed the war in Ukraine at the Catholic University of America Columbus School of Law, also known as the Catholic Law, which is based in Washington, DC.” reads the analysis published by BlackBerry.

The APT29 group also abused multiple legitimate systems, including LegisWrite and eTrustEx, which are used by EU nations for exchanging info and data in a secure way.

LegisWrite is an editing program used by governments within the European Union, this means that threat actors used it in the malicious lure to target state organizations within the EU specifically.

The malicious HTML file employed in the attack is a version of NOBELIUM’s dropper tracked as ROOTSAW (aka EnvyScout). EnvyScout uses the HTML smuggling technique to deliver an IMG or ISO file to the victim’s system.

To maintain persistence, a new registry key is created under “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DsDiBacks”.

The BugSplatRc64.dll file allows cyber spies to collect and exfiltrate information about the infected system.

The nation-state actor abuses the API the note-taking application Notion for C2 communication, a choice that allows avoiding detection.

“NOBELIUM actively collects intelligence information about the countries supporting Ukraine in the Russian-Ukraine war. The overlap between Poland’s Ambassador’s visit to the United States with the lure used in the attacks, provides evidence that the threat actors carefully follow geopolitical events and use them to increase their possibility of a successful infection.” concludes the report. “Furthermore, our initial analysis of weaponized LNK files shows that the threat actor behind this campaign used anti-forensic techniques to wipe out personal metadata to remove information connected to its operations systems.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Russia)

YoroTrooper APT group targets CIS countries and embassies

A new APT group, dubbed YoroTrooper, has been targeting government and energy organizations across Europe, experts warn.

Cisco Talos researchers uncovered a new cyber espionage group targeting CIS countries, embassies and EU health care agency since at least June 2022.

The APT group focuses on government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States (CIS). The experts reported that the group hacked accounts from at least two international organizations, a critical EU health care agency and the World Intellectual Property Organization (WIPO). Talos reported that the threat actor also likely targets other organizations across Europe and Turkish (Türkiye) government agencies.

Data stolen by the threat actors includes credentials from multiple applications, browser histories and cookies, system information and screenshots.

YoroTrooper’s arsenal includes Python-based, custom-built and open-source information stealers, such as the Stink stealer wrapped into executables via the Nuitka framework and PyInstaller. The group also employed commodity malware in its campaign, such as AveMaria/Warzone RAT, LodaRAT and Meterpreter.

The attack vectors are phishing emails with an attached archive containing two files, a shortcut file and a decoy PDF file.

The malicious LNK files acts as downloaders that uses mshta.exe to download and execute a remote HTA file on the infected endpoint.

“The malicious HTA files employed in this campaign have seen a steady evolution with the latest variant downloading the next-stage payload: a malicious EXE-based dropper and a decoy document. All these tasks are accomplished by running PowerShell-based commands.” continues Talos.

Talos states that there are some similarities in their TTPs and victimology between PoetRAT and YoroTrooper groups.

Some evidence collected by the experts suggests the threat actor is Russian-speaking, such as the presence of telegram messages in Russian and Cyrillic snippets in the source code of the malware used by the actor.

“YoroTrooper has been consistently introducing new malware into their infection chains in this campaign, including both custom-built and commodity malware. It is worth noting that while this campaign began with the distribution of commodity malware such as AveMaria and LodaRAT, it has evolved significantly to include Python-based malware.” concludes the report that also includes Indicators of Compromise (IoCs). “This highlights an increase in the efforts the threat actor is putting in, likely derived from successful breaches during the course of the campaign.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, YoroTrooper)

China-linked APT Sharp Panda targets government entities in Southeast Asia

China-linked APT group Sharp Panda targets high-profile government entities in Southeast Asia with the Soul modular framework.

CheckPoint researchers observed in late 2022, a campaign attributed to the China-linked APT group Sharp Panda that is targeting a high-profile government entity in the Southeast Asia.

The state-sponsored hackers used a new version of the SoulSearcher loader, which eventually loads a new version of the Soul modular framework. 

The researchers pointed out that this is the first time the Soul malware framework is attributed to a known cluster of malicious activity, although it was previously used in attacks targeting the defense, healthcare, and ICT sectors in Southeast Asia. The researchers cannot exclude that the Soul framework is utilized by multiple threat actors in the area.

“The connection between the tools and TTPs (Tactics, Techniques and Procedures) of Sharp Panda and the previously mentioned attacks in Southeast Asia might serve as yet another example of key characteristics inherent to Chinese-based APT operations, such as sharing custom tools between groups or task specialization, when one entity is responsible for the initial infection and another one performs the actual intelligence gathering.” reads the analysis published by the experts.

CheckPoint researchers first identified Sharp Pands’s activity at the beginning of 2021, at the time the APT group was targeting Southeast Asian government entities with spear-phishing attacks.

The attackers used a Word document with government-themed lures that relied on a remote template to download and run a malicious RTF document, weaponized with the infamous RoyalRoad kit.

Upon gained a foothold in the target system, the malware starts a chain of fileless loaders, including a custom DLL downloader called 5.t Downloader and a second-stage loader that delivers the final backdoor.

The last stage payload used in Sharp Panda campaigns at the time was the custom backdoor VictoryDll.

The experts detailed multiple campaigns aimed at entities in Southeast Asian countries, such as Vietnam, Indonesia, and Thailand. Across the yeats, the initial part of the infection chain (the use of Word documents, RoyalRoad RTF and 5.t Downloader) remained the same, but in early 2023 the VictoryDll backdoor was replaced with a new version of SoulSearcher loader.

In order to target only organization in Southeast Asia, the attackers used a geo-fenced C&C server. The SoulSearcher loader is used for downloading, decrypting, and loading in memory other modules of the Soul modular backdoor.

The main module of the Soul malware is tasked of communicating with the C&C server and its primary purpose is to receive and load in memory additional modules. One of the most interestingly features supported by the backdoor is the “radio silence,”which allows threat actors to specify specific hours in a week when the backdoor is not allowed to communicate with the C2 server.

The most recent sample of the backdoor (compiled on 29/11/2022 02:12:34 UTC) is quite different from the samples that were previously analyzed by the experts. The new version of SoulBackdoor implements a new custom C2 protocol and a new set of API endpoints. The researchers noticed that the C&C requests contain additional HTTP request headers. The C2 commands supported with the newer variant primarily focused on loading additional modules, while lack any type of common backdoor functionality like manipulating local files, sending files to the C&C, and executing remote commands.

“The later stages of the infection chain in the described campaign are based on Soul, a previously unattributed modular malware framework. While the Soul framework has been in use since at least 2017, the threat actors behind it have been constantly updating and refining its architecture and capabilities. Based on the technical findings presented in our research, we believe this campaign is staged by advanced Chinese-backed threat actors, whose other tools, capabilities, and position within the broader network of espionage activities are yet to be explored.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Sharp Panda)

Pegasus spyware used to spy on a Polish mayor

The phone of an opposition-linked Polish mayor was infected with the powerful Pegasus spyware, local media reported.

Reuters reported that the phone of an opposition-linked Polish mayor was infected with the Pegasus spyware. According to rumors, the Polish special services are using surveillance software to spy on government opponents.

The news of the hack was reported by the Gazeta Wyborcza daily, and unfortunately, it isn’t the first time that the Pegasus spyware was used in the country.

In 2021, the University of Toronto-based Citizen Lab Internet reported that a Polish opposition duo was hacked with NSO spyware. The PiS government admitted having used the spyware, but pointed out the Pegasus was never used against political opponents.

According to the Gazeta Wyborcza daily, the spyware was used to spy on the phone of Jacek Karnowski, mayor of the city of Sopot, in 2018-2019. At the time, the Polish Major was working on the opposition’s campaign for elections to the Senate.

“We will not allow the PiS machine to further destroy democracy, lead Poland to the East and sovietise our country,” Karnowski told Reuters. “The politicians who inspired and commissioned these activities belong in prison.”

In June 2022, the controversial Israeli surveillance vendor NSO Group told the European Union lawmakers that its Pegasus spyware was used by at least five countries in the region.

At the time, NSO Group’s General Counsel Chaim Gelfand admitted that the company had “made mistakes,” but that after the abuses of its software made the headlines it has canceled several contracts.

In April 2022, the Parliament set up a new inquiry committee investigating the use of Pegasus spyware and equivalent surveillance software used to spy on phones belonging to politicians, diplomats, and civil society members. The spyware was used to target several European leaders, including Spain’s Prime Minister Pedro Sánchez, and Spanish political groups, Hungary, and Poland.

If you want to read more info on the Pegasus spyware give a look at a report investigating Pegasus spyware’s impacts on human rights that has been launched by the Council of Europe on the occasion of the summer session of the Parliamentary Assembly.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NSO)

MQsTTang, a new backdoor used by Mustang Panda APT against European entities

China-Linked Mustang Panda APT employed MQsTTang backdoor as part of an ongoing campaign targeting European entities.

China-linked Mustang Panda APT group has been observed using a new backdoor, called MQsTTang, in attacks aimed at European entities.

The hacking campaign began in January 2023, ESET researchers pointed out that the custom backdoor MQsTTang is not based on existing families or publicly available projects.

The researchers targeted entities in Bulgaria, Australia and a governmental institution in Taiwan. However, the decoy filenames used by the threat actors suggest that have also targeted political and governmental organizations in Europe and Asia. 

Mustang Panda is known for its customized Korplug backdoor (aka PlugX), but the recent discovery demonstrates that the group is expanding its arsenal.

Some of the attack infrastructure used in this campaign also matches the network fingerprint of infrastructure used by Mustang Panda in the past.

“One of the servers used in the current campaign was running a publicly accessible anonymous FTP server that seems to be used to stage tools and payloads. In the /pub/god directory of this server there are multiple Korplug loaders, archives, and tools that were used in previous Mustang Panda campaigns.” reads the analysis published by ESET.

MQsTTang supports common backdoor capabilities, one of its hallmarks is the use of the MQTT protocol for C&C communication. The MQTT protocol is typically used for communication between IoT devices and controllers, the experts noticed that hasn’t been used in many publicly documented malware families.

The encoding scheme used by the threat actors is the same for every communication. The MQTT message’s payload is a JSON object with a single attribute named msg. The value of this attribute is generated by first encoding in base64 the actual content, then it is XORed with the hardcoded string nasa, and base64 encoded again.

The backdoor is distributed in RAR archives containing only a single executable. The attackers used executables having names related to Diplomacy and passports such as “CVs Amb Officer PASSPORT Ministry Of Foreign Affairs.exe”, “Documents members of delegation diplomatic from Germany.Exe”, “PDF_Passport and CVs of diplomatic members from Tokyo of JAPAN.eXE”, “Note No.18-NG-23 from Embassy of Japan.exe.”

The researchers noticed that the MQsTTang backdoor has only a single stage and doesn’t use any obfuscation techniques.

The malware maintains persistence using a specific task to create a new value qvlc set to c:\users\public\vcall.exe under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key.

“This new MQsTTang backdoor provides a kind of remote shell without any of the bells and whistles associated with the group’s other malware families. However, it shows that Mustang Panda is exploring new technology stacks for its tools.” concludes the report. “It remains to be seen whether this backdoor will become a recurring part of the group’s arsenal, but it is one more example of the group’s fast development and deployment cycle.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Mustang Panda)