MQsTTang: Mustang Panda’s Latest Backdoor Treads New Ground with Qt and MQTT
Background:
In early 2023, China-sponsored group Mustang Panda began experimenting with a new custom backdoor dubbed MQsTTang. The backdoor received its name based on the attribution and the unique use of the MQTT command and control (C2) communication protocol that is typically used for communication between IoT devices and controllers. To establish this protocol, MQsTTang uses the open source QMQTT library based on the Qt framework. MQsTTang is delivered through spearphishing malicious link pointing at a RAR archive with a single malicious executable. MQsTTang was delivered to targets in Australia, Bulgaria, Taiwan, and likely some other countries in Asia and Europe.
Takeaway:
Mustang Panda is likely exploring this communication protocol in an attempt to hide its C2 traffic. Defense-in-depth approach should be used to stop sophisticated threats that evolve and utilize various techniques of defense evasion. Sensitive government sector workers should be educated on spearphishing threats and be wary of executable files delivered in archives.
Royal Ransomware
Background:
The Royal ransomware is a double-extortion scheme active since September 2022. As some of the targets are in the US, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency issued an advisory featuring Royal domains and binaries up to January 2023. Royal has been targeting communications, education, healthcare, manufacturing, and other industries demanding from $1 million to $11 million USD in Bitcoin. The attackers were often using the Gozi malware or the Cobalt Strike C2 framework for data exfiltration. Royal’s crypter has a unique evasion setting allowing the attackers to lower the encryption percentage for larger files.
Takeaway:
Organizations should implement multifactor authentication for all services to the extent possible, particularly for accounts that access critical systems, remote monitoring and management software, virtual private networks, and webmail.
Learn about our Penetration Testing Services
Redis Miner Leverages Command Line File Hosting Service
Background:
Cado Security researchers detected a cryptomining campaign targeting vulnerable Redis servers. Payloads are being hosted on the opensource command-line file transfer service transfer[.]sh. Cryptomining (cryptojacking) attacks are often considered to be low-impact, but this campaign puts production systems at risk when optimizing it for mining. The attackers disable the Security-Enhanced Linux (SELinux) module, ensure DNS requests can be resolved by public resolvers, and remove existing cron jobs and the cron spool. Additionally, they try to free up RAM by modifying drop_caches to drop the cache of filesystem resolutions by the kernel.
Takeaway:
An unusually high CPU usage and overheating can be a sign of the malicious resource hijacking for cryptocurrency mining. Network defenders should keep their systems updated. Malicious optimization for mining puts your systems at risk of data corruption.
BlackLotus UEFI Bootkit: Myth Confirmed
Background:
ESET researchers identified in-the-wild instances of the BlackLotus bootkit that is being sold on hacking forums for $5,000. BlackLotus is a UEFI bootkit capable of running on even fully-up-to-date Windows 11 systems with UEFI Secure Boot enabled. Underlying Secure Boot Security Feature Bypass Vulnerability (CVE-2022-21894) is exploited by BlackLotus by reintroducing legitimate, vulnerable UEFI binaries replaced by Microsoft’s January 2022 update. Its infection chain involves two forced reboots that enable persistence. BlackLotus employs common methods of analysis and debugging evasion. BlackLotus is still rare and the exact method used to deliver the BlackLotus installer is not known.
Takeaway:
This method of Secure Boot bypassing will continue until Windows will revoke the vulnerable bootloaders that BlackLotus depends on. Practice defense-in-depth approach and keep your systems updated to avoid introduction of the BlackLotus installer.
RIG Exploit Kit In-Depth Analysis
Background:
RIG exploit hit (RIG EK) is a global threat that has been active since 2014. It distributes Internet Explorer exploits via watering hole attacks and collects victim data, and ultimately malware being dropped, such as Dridex, RaccoonStealer, or SmokeLoader infostealers. At the end of 2022, RIG EK has added two new exploits, CVE-2021-26411 and CVE-2020-0674, achieving an extremely high exploitation rate among its victims (consistently 30%). RIG EK hides its exploit servers behind proxy servers, it has an integrated Antivirus testing feature for payloads, and typically updates them on weekly to daily basis.
Takeaway:
Organizations need to move away from using Internet Explorer on their enterprise devices. Keep your software updated and replace end-of-life products that are no longer receiving updates.
Resecurity Disrupts Investment Scam Network – Digital Smoke
Background:
Resecurity researchers discovered a large network dubbed Digital Smoke impersonating top 100 companies in order to promote fraudulent investment schemes. This network was primarily targeting users in India (users using Indian Rupees and Indian cell phone numbers). Among dozens of impersonated organizations were ABRDN (UK), Blackrock (US), Baxter Medical (US), Cigna (US), DJI (China), Eaton Corporation (US/UK), ITC Hotels (India), Ferrari (Italy), Lloyds Bank (UK), Novuna Business Finance (UK), Tata (India), Shell (UK), and Valesto Oil (Malaysia). The attack typically starts with an affiliate promoting the scam via an instant message, for example on Youtube or WhatsApp. The threat actors were able to hide their activity using hidden redirects, domain cloaking, one-time URLs, and special invitation codes. Final instructions often required installing an app and/or registering an account. To receive funds the attackers used AliPay, card-to-card payments to money mules, cryptocurrencies, and India’s Unified Payments Interface.
Takeaway:
Profiled in late 2022, Digital Smoke network was disrupted in early 2023. Potential investors should be very careful about personal messages with invite links, and offers that are too good to be true. Pay attention to the domain that is asking for your financial information, try to establish its authenticity and ownership.
Learn about our Penetration Testing Services
Subscribe So You Never Miss an Update
