The IT Nerd

 ESET, a global leader in cybersecurity, is proud to announce the establishment of its new Marketing, Communication, and Digital Business division, appointing Mária Trnková as Chief Marketing Officer. This strategic move, effective June 1, 2023, reflects ESET’s commitment to innovation, enhancing partner and customer experiences, and strengthening its brand presence in the market.

Mária Trnková, previously Vice President for the Consumer and IoT Segment at ESET, brings on board experience with the creation and implementation of an effective data-driven strategy. Mária started her career at ESET in the autumn of 2016. Her journey began as the EMEA Territory Marketing Manager, where she collaborated closely with regional teams to shape effective marketing strategies. During her six-year tenure, Mária showcased exceptional leadership skills, progressively taking on more responsibility and driving impactful results. When she stepped into the position of Segment VP in October 2019, she moved into a role with interfaces across the entire organization. She also worked closely with the company´s management to ensure Consumer and IoT segment strategy definition and effective implementation.

In her new role as Chief Marketing Officer, Mária will spearhead the newly formed Marketing, Communication, and Digital Business division. This strategic division will enhance ESET’s marketing support across segments, fortify its brand position, and foster innovation through closer collaboration with technology and Environmental, Social, and Governance (ESG) teams. The key enabler for successful marketing implementation will be close cooperation with regional and local branches, ensuring delivery of the utmost value to customers.

ESET researchers revealed today details about a prevalent cryptor malware, AceCryptor, which operates as a cryptor-as-a-service used by tens of malware families. This threat has been around since 2016, and has been distributed worldwide, with multiple threat actors actively using it to spread packed malware in their campaigns. During 2021 and 2022, ESET telemetry detected over 240,000 detection hits of this malware, which amounts to over 10,000 hits every month. It is likely sold on dark web or underground forums, and tens of different malware families have used the services of this malware. Many rely on this cryptor as their main protection against static detections.

“For malware authors, protecting their creations against detection is challenging. Cryptors are the first layer of defense for malware that gets distributed. Even though threat actors can create and maintain their own custom cryptors, for crimeware threat actors, it often may be time-consuming or technically difficult to maintain their cryptor in a fully undetectable state. Demand for such protection has created multiple cryptor-as-a-service options that pack malware,” says ESET researcher Jakub Kaloč, who analyzed AceCryptor.

Among the malware families found that used AceCryptor, one of the most prevalent was RedLine Stealer – malware available for purchase on underground forums and used to steal credit card credentials and other sensitive data, upload and download files, and even steal cryptocurrency. RedLine Stealer was first seen in Q1 2022; distributors have used AceCryptor since then, and continue to do so. “Thus, being able to reliably detect AceCryptor not only helps us with visibility into new emerging threats, but also with monitoring the activities of threat actors,” explains Kaloč.

During 2021 and 2022, ESET protected more than 80,000 customers affected by malware packed by AceCryptor. Altogether, there have been 240,000 detections, including the same sample detected at multiple computers, and one computer being protected multiple times by ESET software. AceCryptor is heavily obfuscated and has incorporated many techniques to avoid detection throughout the years.

“Even though we don’t know the exact pricing of this service, with this number of detections, we assume that the gains to the AceCryptor authors aren’t negligible,” theorizes Kaloč.

Because AceCryptor is used by multiple threat actors, malware packed by it is distributed in multiple ways. According to ESET telemetry, devices were exposed to AceCryptor-packed malware mainly via trojanized installers of pirated software, or spam emails containing malicious attachments. Another way someone may be exposed is via other malware that downloaded new malware protected by AceCryptor. An example is the Amadey botnet, which we have observed downloading an AceCryptor-packed RedLine Stealer.

Since many threat actors use the malware, anyone can be affected. Because of the diversity of packed malware, it is difficult to estimate how severe the consequences are for a compromised victim. AceCryptor may have been dropped by other malware, already running on a victim’s machine, or, if the victim got directly afflicted by, for example, opening a malicious email attachment, any malware inside might have downloaded additional malware; thus, many malware families may be present simultaneously.

AceCryptor has multiple variants and currently uses a multistage, three-layer architecture.

Even though attribution of AceCryptor to a particular threat actor is not possible for now, ESET Research expects that AceCryptor will continue to be widely used. Closer monitoring will help prevent and discover new campaigns of malware families packed with this cryptor.

For more technical information about AceCryptor, check out the blogpost “Shedding light on AceCryptor and its operation” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

Earn their trust, then attack.

ESET researchers discovered a perfectly safe Android app that had been available on the Google Play store with over 50,000 installs that only went bad in version 1.3.8.  This approach could work with any software.

In this case the iRecorder app was working perfectly for an entire year before the clean version was updated with malicious spyware code.

Apparently it’s very rare for a developer to upload a legitimate app, operate perfectly for almost a year, and then provide an update with malicious code. In this case, the code added was a customized version of the open-source AhMyth Android RAT that researchers have named AhRat.

From the research:

“Aside from providing legitimate screen recording functionality, the malicious iRecorder can record surrounding audio from the device’s microphone and upload it to the attacker’s command and control (C&C) server. It can also exfiltrate files with extensions representing saved web pages, images, audio, video, and document files, and file formats used for compressing multiple files, from the device. The app’s specific malicious behavior – exfiltrating microphone recordings and stealing files with specific extensions – tends to suggest that it is part of an espionage campaign.”

Ted Miracco, CEO, Approov Mobile Security had this to say:

   “The AhMyth Android RAT (Remote Access Trojan) specifically targets Android devices, and allows attackers to spy on victims and collect sensitive information such as call logs, text messages, GPS location, contacts, record audio and take screenshots. Cases like this where a ‘legitimate’ app developer inserts malware is not as uncommon as you may think, especially with “free” utilities where the user’s data is essentially the product deliverable. Even reputable mobile security apps tend to make a land grab when it comes to requesting permissions on devices for information that is certainly unnecessary for the proper functioning of the mobile app.

   “While more and more Android devices are supporting a feature called “Play Protect” (formerly “SafetyNet”) that can make sure apps are free of potential malware, in this case it would prove absolutely ineffective as the malware was added by the developer that is setting up the attestation criteria. In cases like these end-users need to be vigilant in making sure the permissions are commensurate with the requirements of the app and be cautious of apps from unofficial app stores. It is also important to avoid rooting (Android) or jailbreaking (iOS) devices as these processes will further weaken the device’s security and make it more vulnerable to malware attacks.”

Roy Akerman, Co-Founder & CEO, Rezonate followed up with this:

   “In many cases, a legitimate action may turn out to be of malicious intent. In this case a mobile application was delivering on its promise but easily turned malicious after trust was achieved. The same could be said of rogue employees, once they gain systems access, and could apply to most any software whether on mobile or desktop.

   “Being stealthy can be accomplished by hiding below detection radars with a low and slow attacks, hidden with a benign traffic, or the exact opposite and fully open as a legitimate application. This is why continuous monitoring and behavioral pattern monitoring of usage and code is mandatory to defend against this risk.”

This reinforces the fact that downloading apps is sometimes a risky business. Thus I would recommend that both individuals and companies take steps to make sure that they are not a victim of this attack vector. For individuals, that can mean practising safe computing habits. For businesses it can mean restricting what one can or cannot download onto devices. Those at the very least would limit the exposure to this.

ESET has released its APT Activity Report, which summarizes the activities of selected advanced persistent threat (APT) groups that were observed, investigated, and analyzed by ESET researchers from October 2022 until the end of March 2023. The report is being published on a semi-annual basis. During this period, several China-aligned threat actors such as Ke3chang and Mustang Panda focused on European organizations. In Israel, Iran-aligned group OilRig deployed a new custom backdoor. North Korea-aligned groups continued to focus on South Korean and South Korea-related entities. Russia-aligned APT groups were especially active in Ukraine and EU countries, with Sandworm deploying wipers.

Malicious activities described in the ESET APT Activity Report are detected by ESET technology. “ESET products protect our customers’ systems from the malicious activities described in this report. The intelligence shared here is based mostly on proprietary ESET telemetry data and has been verified by ESET researchers,” says Director of ESET Threat Research Jean-Ian Boutin.

China-aligned Ke3chang employed tactics such as the deployment of a new Ketrican variant, and Mustang Panda used two new backdoors. MirrorFace targeted Japan and implemented new malware delivery approaches, while Operation ChattyGoblin compromised a gambling company in the Philippines by targeting its support agents. India-aligned groups SideWinder and Donot Team continued to target governmental institutions in South Asia with the former targeting the education sector in China, and the latter continuing to develop its infamous yty framework, but also deploying the commercially available Remcos RAT. Also in South Asia, ESET Research detected a high number of Zimbra webmail phishing attempts. 

In addition to targeting the employees of a defense contractor in Poland with a fake Boeing-themed job offer, North Korea-aligned group Lazarus also shifted its focus from its usual target verticals to a data management company in India, utilizing an Accenture-themed lure. ESET also identified a piece of Linux malware being leveraged in one of their campaigns. Similarities with this newly discovered malware corroborate the theory that the infamous North Korea–aligned group is behind the 3CX supply-chain attack.

Russia-aligned APT groups were especially active in Ukraine and EU countries, with Sandworm deploying wipers (including a new one ESET calls SwiftSlicer), and Gamaredon, Sednit, and the Dukes utilizing spearphishing emails that, in the case of the Dukes, led to the execution of a red team implant known as Brute Ratel. Finally, ESET detected that the previously mentioned Zimbra email platform was also exploited by Winter Vivern, a group particularly active in Europe, and researchers noted a significant drop in the activity of SturgeonPhisher, a group targeting government staff of Central Asian countries with spearphishing emails, leading to our belief that the group is currently retooling.

For more technical information, check the full “ESET APT Activity Report” on WeLiveSecurity. Make sure to followESET Research on Twitter for the latest news from ESET Research.

ESET APT Activity Reports contain only a fraction of the cybersecurity intelligence data provided to customers of ESET’s private APT reports. ESET researchers prepare in-depth technical reports and frequent activity updates detailing activities of specific APT groups in the form of ESET APT Reports PREMIUM to help organizations tasked with protecting citizens, critical national infrastructure, and high-value assets from criminal and nation-state-directed cyberattacks. Comprehensive descriptions of activities described in this document were therefore previously provided exclusively to our premium customers. More information about ESET APT Reports PREMIUM that deliver high-quality strategic, actionable, and tactical cybersecurity threat intelligence is available at the ESET Threat Intelligence page.

Researchers at Eset discovered downloads of the Evasive Panda backdoor, MgBot, had been included in the update channels of otherwise legitimate applications. The campaign appeared aimed at stealing credentials and data for cyber espionage purposes and has been ongoing for two years. The attacks were able to target specific individuals in China and Nigeria, otherwise delivering uninfected updates to everyone else. 

 “During our investigation, we discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses,” intelligence analyst Facundo Munoz wrote in the post.

Researchers observed the highest number of infected updates coming from an updater for the Tencent QQ Windows client:

 “Given the targeted nature of the attacks, we speculate that attackers would have needed to compromise the QQ update servers to introduce a mechanism to identify the targeted users to deliver them the malware, filtering out non-targeted users and delivering them legitimate updates,” Munoz wrote.

Roy Akerman, Co-Founder & CEO, Rezonate:

   “Despite increased investment in supply chain defenses, attackers continue to bypass controls and drop malware with legitimate processes and applications. Tencent’s QQ Windows client has been used for a long time now as a way to socially engineer and distribute malware in a targeted manner. This approach enables a wide reach across the entire platform as well as offering the shield of authenticity. 

   “We’re seeing the targeting of accounts happening more often vs. the traditional spray and pray, to meet a specific objective. A layered defense, continuous education of employees and monitoring of identity behavior for abuse of privileges are more critical than ever.”

This illustrates how dangerous some of these threat actor groups are as packaging this backdoor as part of a legitimate update is pretty crafty. It shows that more needs to be done at both the technology and human level to stop attacks like these from being successful.

 ESET, a global leader in digital security, today unveiled new research into corporate network devices that were disposed of and sold on the secondary market. After looking at configuration data from 16 distinct network devices, ESET found that over 56% – nine routers – contained sensitive company data.

Of the nine networks that had complete configuration data available:  

• 22% contained customer data
• 33% exposed data allowing third-party connections to the network
• 44% had credentials for connecting to other networks as a trusted party
• 89% itemized connection details for specific applications
• 89% contained router-to-router authentication keys
• 100% contained one or more of IPsec or VPN credentials, or hashed root passwords
• 100% had sufficient data to reliably identify the former owner/operator

Organizations often recycle aging tech through third-party companies that are charged with verifying the secure destruction or recycling of digital equipment and the disposal of the data contained therein. Whether an error by an e-waste company or the company’s own disposal processes, a range of data was found on the routers,

• Third-party data: As we have seen in real-world cyberattacks, a breach of one company’s network can proliferate to their customers, partners, and other businesses with whom they may have connections.
• Trusted parties: Trusted parties (which could be impersonated as a secondary attack vector) would accept certificates and cryptographic tokens found on these devices, allowing a very convincing adversary in the middle (AitM) attack with trusted credentials, capable of syphoning off corporate secrets, with victims unaware for extended periods.
• Customer data: In some cases, core routers point to internal and/or external information stores with specific information about their owners’ customers, sometimes stored on premises, which can open customers up to potential security issues if an adversary is able to gain specific information about them.
• Specific applications: Complete maps of major application platforms used by specific organizations, both locally hosted and in the cloud, were scattered liberally throughout the configurations of these devices. These applications range from corporate email to trusted client tunnels for customers, physical building security such as specific vendors and topologies for proximity access cards and specific surveillance camera networks, and vendors, sales and customer platforms, to mention a few. Additionally, ESET researchers were able to determine over which ports and from which hosts those applications communicate, which ones they trust, and which ones they do not. Due to the granularity of the applications and the specific versions used in some cases, known vulnerabilities could be exploited across the network topology that an attacker would already have mapped.
• Extensive core routing information: From core network routes to BGP peering, OSPF, RIP and others, ESET found complete layouts of various organizations’ inner workings, which would provide extensive network topology information for subsequent exploitation, were the devices to fall into the hands of an adversary. Recovered configurations also contained nearby and international locations of many remote offices and operators, including their relationship to the corporate office – more data that would be highly valuable to potential adversaries. IPsec tunneling can be used to connect trusted routers to each other, which can be a component of WAN router peering arrangements and the like.
• Trusted operators: The devices were loaded with potentially crackable or directly reusable corporate credentials – including administrator logins, VPN details, and cryptographic keys – that would allow bad actors to seamlessly become trusted entities and thus to gain access across the network.

The routers in this research originated at organizations ranging from medium-sized businesses to global enterprises in a variety of industries (data centers, law firms, third-party tech providers, manufacturing and tech companies, creative firms, and software developers). As part of the discovery process, ESET, where possible, disclosed the findings to each identified organization – several of them household names – collaborating to ensure they were aware of the details potentially compromised by others in the chain of custody of the devices. Some of the organizations with compromised information were shockingly unresponsive to ESET’s repeated attempts to connect, while others showed proficiency, handling the event as a full-blown security breach.

Organizations are reminded to verify that they are using a trusted, competent third party to dispose of devices, or that they are taking all the necessary precautions if handling the decommissioning themselves. That should extend past routers and hard drives to any device that’s part of the network. Many organizations in this research probably felt that they were contracting with reputable vendors, but their data still leaked. With this in mind, it’s recommended that organizations follow the manufacturer’s guidelines for removing all data from a device before it physically leaves their premises, which is a simple step that many IT staff can handle.

Organizations are reminded to treat disclosure notifications seriously. Doing otherwise may leave them vulnerable to a costly data breach and significant reputational damage. 

At RSA 2023, this research called “We (Could Have) Cracked Open the Network for Under $100” will be presented on April 24, 2023, at 9:40 a.m. PT.

To read the white paper, which includes resources on secure device disposal, visit WeLiveSecurity.

ESET researchers have discovered dozens of copycat Telegram and WhatsApp websites targeting mainly Android and Windows users with trojanized versions of these instant messaging apps. Most of the malicious apps we identified are clippers — a type of malware that steals or modifies the contents of the clipboard. All of them are after victims’ cryptocurrency funds, with several targeting cryptocurrency wallets. This was the first time ESET Research had seen Android clippers focusing specifically on instant messaging. Moreover, some of these apps use optical character recognition (OCR) to recognize text from screenshots stored on the compromised devices, which is another first for Android malware.

Based on the language used in the copycat applications, it seems that the operators behind them mainly target Chinese-speaking users. Because both Telegram and WhatsApp have been blocked in China for several years now, with Telegram being blocked since 2015 and WhatsApp since 2017, people who wish to use these services have to resort to indirect means of obtaining them.

The threat actors first set up Google Ads leading to fraudulent YouTube channels, which then redirected the viewers to copycat Telegram and WhatsApp websites. ESET Research immediately reported the fraudulent ads and related YouTube channels to Google, which promptly shuttered them all.

“The main purpose of the clippers we discovered is to intercept the victim’s messaging communications and replace any sent and received cryptocurrency wallet addresses with addresses belonging to the attackers. In addition to the trojanized WhatsApp and Telegram Android apps, we also found trojanized Windows versions of the same apps,” says ESET researcher Lukáš Štefanko, who discovered the trojanized apps.

Despite serving the same general purpose, the trojanized versions of these apps contain various additional functionalities. The analyzed Android clippers constitute the first instance of Android malware using OCR to read text from screenshots and photos stored on the victim’s device. OCR is deployed in order to find and steal a seed phrase, which is a mnemonic code composed of a series of words used for recovering cryptocurrency wallets. Once the malicious actors get hold of a seed phrase, they are free to steal all the cryptocurrency directly from the associated wallet.

In another instance, the malware simply switches the victim’s cryptocurrency wallet address for the attacker’s address in chat communication, with the addresses being either hardcoded or dynamically retrieved from the attacker’s server. In yet another instance, the malware monitors Telegram communication for certain keywords related to cryptocurrencies. Once such a keyword is recognized, the malware sends the full message to the attacker’s server.

ESET Research also found Windows versions of the wallet-switching clippers, as well as Telegram and WhatsApp installers for Windows bundled with remote access trojans (RATs). In a departure from the established pattern, one of the Windows-related malware bundles is not composed of clippers, but of RATs that enable full control of the victim’s system. This way, the RATs are able to steal cryptocurrency wallets without intercepting the application flow.

“Install apps only from trustworthy and reliable sources, such as the Google Play store, and do not store unencrypted pictures or screenshots containing sensitive information on your device. If you believe you have a trojanized version of Telegram or WhatsApp, manually remove it from your device and download the app either from Google Play or directly from the legitimate website,” advises Štefanko. “For Windows, if you suspect that your Telegram app is malicious, use a security solution to detect the threat and remove it for you. The only official version of WhatsApp for Windows is currently available in the Microsoft store.”

For more technical information about the clippers built into instant messaging apps, check out the blog post “Not-so-private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets” on WeLiveSecurity.

ESET researchers have uncovered a compromise of an East Asian data-loss prevention (DLP) company. During the intrusion, the attackers deployed at least three malware families and compromised internal update servers and third-party tools used by the affected company. As a result, two customers of the company were subsequently compromised. ESET attributes the campaign with high confidence to the Tick APT group. Based on Tick’s profile, the objective of the attack was most likely cyberespionage. The customer portfolio of the DLP company includes government and military entities, making the compromised company an especially attractive target for an APT group such as Tick.

“The attackers compromised the DLP company’s internal update servers to deliver malware inside the software developer’s network, and trojanized installers of legitimate third-party tools used by the company, which eventually resulted in the execution of malware on the computers of its customers,” says ESET researcher Facundo Muñoz, who discovered Tick’s latest operation. “During the intrusion, the attackers deployed a previously undocumented downloader, which we’ve named ShadowPy, and also deployed the Netboy backdoor (aka Invader) as well as the Ghostdown downloader,” adds Muñoz.

The initial attack happened in March 2021, and ESET notified the company of the compromise. In 2022, ESET telemetry registered the execution of malicious code in the networks of two of the compromised company’s customers. Since trojanized installers were transferred via remote support software, ESET Research hypothesizes that this took place while the DLP company was providing technical support. The attackers also compromised two internal update servers, which delivered malicious updates for the software developed by this DLP company on two occasions to machines inside the network of the DLP company.

The previously undocumented downloader ShadowPy was developed in Python and  is loaded through a customized version of the open source project py2exe. ShadowPy contacts a remote server from where it receives new Python scripts that are decrypted and executed. The older Netboy backdoor supports 34 commands, including collecting system information, deleting a file downloading and executing programs, performing screen capture, and performing mouse and keyboard events requested by its controller.

Tick (also known as BRONZE BUTLER or REDBALDKNIGHT) is an APT group thought to have been active since at least 2006 and that mainly targets countries in the APAC region. This group is of interest for its cyberespionage operations, which focus on stealing classified information and intellectual property. Tick employs an exclusive custom malware toolset designed for persistent access to compromised machines, reconnaissance, data exfiltration, and download of tools.

For more technical information about the latest Tick campaign, check out the blogpost “The slow Tick-ing time bomb: Tick APT group compromise of a DLP software developer in East Asia” on WeLiveSecurity.

If this year’s International Women’s Day theme teaches us anything, it’s that in order to have true gender equity, it is essential for society to provide economic opportunity in spaces where women are underrepresented. 

To embrace women and support their journey, ESET, a global leader in IT security, will once again #EmbraceEquity with its eighth annual Women in Cybersecurity Scholarship, awarding the prize to four women in North America.

ESET will be providing $10,000 USD scholarships to two women in the United States and $5,000 CAD scholarships to two women in Canada. Applicants are required to be enrolled in a graduate or undergraduate program majoring in a STEM (science, technology, engineering and mathematics) field. In addition, the students will be asked to detail their career goals, and what steps they plan to take to “pay it forward” for other women pursuing careers in STEM.

Celeste Blodgett, Vice President of Human Resources at ESET is thrilled with how successful the scholarship has been over the years. “At ESET we believe in a culture of inclusion and a culture of equity – without opportunity, there can be no equity,” she said. “Year after year, we choose to support and empower women through the ESET Women in Cybersecurity Scholarship so they may pursue their passions in cybersecurity and STEM. This work is critical for us to break down barriers of entry into the field to support the next generation of female cybersecurity experts.”

Applications are now being accepted and are due by April 7, 2023, at 11:59 p.m. PT. Those who are ineligible to apply are encouraged to share this opportunity with friends and family.

A 2022 (ISC) Women in Cybersecurity Report found that women accounted for 30% of global cybersecurity workers who are under the age of 30; additionally, they accounted for just 14% of those 60 or older. Slowly and through every generation, there is progress being made but there is still so much more to do.

“Shifts are happening within the industry and while at first glance, they might seem dramatic, it is more of a trickle-down effect and there needs to be resources in place to speed up the culture of equity in the workplace,” said Blodgett. “I’ve been lucky enough to hear the stories of the inspiring women who have applied for the scholarship, showing both their passion in the technology field and desire to do good in the world. I look forward to awarding the ESET scholarships to another round of strong, inspiring candidates this year.” 

REQUIREMENTS, DETAILS AND HOW TO APPLY

ESET will award scholarship to a woman who is currently enrolled as a graduate/undergraduate student in North America, majoring in a STEM field of study.

How do I qualify for the scholarship?

You must be enrolled in or accepted to an accredited college or university within North America. (The graduate/undergraduate program does not have to be a cybersecurity program; however, in your application, you should make clear that you aspire to have a career in the cybersecurity industry.)

New this year: ESET has decided to forego minimum GPA requirements so anyone interested and passionate in science, technology and cybersecurity can apply.

What is the deadline for submission?

Submissions will be accepted from March 8, 2023 – April 7, 2023 at 11:59 p.m. EST.

ESET will announce the winner in May 2023.

What do I submit / How do I submit my application?

Applicants can apply and learn more about the scholarships by visiting our application pages. If you’re a US student, you can apply here; if you’re a Canadian student, apply here.

Additional details

• Essays may be submitted in English or Spanish for US students.
• Essays may be submitted in English or French for Canadian students. 
• Finalists may be required to supply additional personal or professional references.
• Judging is conducted by a panel of ESET staff, including cybersecurity experts.
• Winners will be asked to provide a photo of themselves, which may be used for promotional purposes.
• If the application or essays are incomplete, they will not be considered.
• Immediate family members or dependents of ESET employees are not eligible to participate.

Questions? Email us at US-scholarship@eset.com [US-only inquiries] or CA-scholarship@eset.com [Canada-only inquiries] with any questions, and we’ll get back to you as soon as possible.

ESET researchers have just analyzed MQsTTang, a new custom backdoor that they attribute to the China-aligned Mustang Panda APT group. This backdoor is part of an ongoing campaign that ESET can trace back to early January 2023. ESET Research has seen unknown entities in Bulgaria and Australia in their telemetry as targets. ESET also has information indicating that Mustang Panda is targeting a governmental institution in Taiwan. Due to the nature of the decoy filenames used, ESET researchers believe that political and governmental organizations in Europe and Asia are also being targeted. The Mustang Panda campaign is still ongoing as of this writing, and the group has increased its activity in Europe since Russia’s invasion of Ukraine.

Based on their telemetry, ESET Research can confirm that unknown entities in Bulgaria and Australia are being targeted. In addition, a governmental institution in Taiwan appears to be a target. The victimology is unclear, but the decoy filenames make ESET believe that political and governmental organizations in Europe and Asia are also being targeted. This would also be in line with the targeting of the group’s latest campaigns. 

MQsTTang is a barebones backdoor that allows the attacker to execute arbitrary commands on a victim’s machine and capture the output. The malware uses the MQTT protocol for Command and Control communication. MQTT is typically used for communication between IoT devices and controllers, and the protocol hasn’t been used in many publicly documented malware families.

MQsTTang is distributed in RAR archives that only contain a single executable. These executables usually have filenames related to diplomacy and passports.

For more technical information about MQsTTang, check out the blog post “MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT” on WeLiveSecurity.