Discover and read the best of Twitter Threads about #MustangPanda

Most recents (2)

🧵#MustangPanda 🐼 (& other #APT groups) use DLL side-loading/search-order hijacking (see ATT&CK).

It's a pain for #CTI analysts who manually vet IOCs -> as this TTP involves delivering a valid vulnerable application, Bring-Your-Own-Vulnerable-App (BYOVA), if you will... 1/3
For example, take this Symantec.exe binary, it's a valid, signed file 🔍 but it's used by #MustangPanda 🐼 for dll side-loading!

Should you pre-emptively block it? Maybe. But first, be sure to check 📝 for its presence in the org -> before causing lots of alerts or worse ⚠️ 2/3 ImageImage
OR you should give warnings ⚠️ before sharing these BYOVA bins as IOCs!

🥲The CTI analyst struggle to vet IOCs is real... but this may help!

I created a Gist & VT Collection for triage:

1.🔗gist.github.com/BushidoUK/181d…

2. 🔗 virustotal.com/gui/collection…

Hopefully this is useful! 2/2
Read 3 tweets
#ESETResearch analyzed a new #MustangPanda backdoor. Its C&C communications is done over #MQTT using the open-source QMQTT library, so we named it MQsTTang. This library depends on parts of the Qt framework, statically linked in the PE. welivesecurity.com/2023/03/02/mqs… 1/5
A sample of MQsTTang was identified by @Unit42_Intel on 2023-02-17. As stated in that thread, the backdoor uses the legitimate MQTT broker 3.228.54.173. This has the benefit of hiding their actual C&C servers from victims and analysts. 2/5
This malware family is also tracked as "Kumquat" by @threatinsight.
3/5
Read 5 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!