Tuesday, June 2, 2026

Use of MQTT in malware part 2: quick analysis

 
Note: I've had limited time to work on this. I took some time off to finish some training but wanted to finish this project as well since it's been sitting on my todo list for months. 
I'm not a professional malware analyst or threat intel person. I'm not super confident in my analysis. I also have a limited set of tools, services, and time. 

If text formatting/spacing sucks or you can't see images, it's Bloggers fault.  
 

Analysis 

I'm labeling by hashes. You should be able to copy them to VT, Triage, Hybrid-Analysis, and Anyrun to find sandbox reports, pcaps, etc... 
 
Python samples

There were multiple Python samples found. Also I kinda went for these samples because they would be relatively easy to analyze and some of them exhibited malicious behavior when looking at VT & sandbox results.

05d9f87cc1bc5272d37a0da8d8bb5a5732760c13f7745395ef388951ee3963ad

I'm guessing this was someone doing POC or testing because they had named their app trojan.py

 

They added persistence capability with startup. 

The analysis also shows screenshot ability, for Windows and Linux systems. 

 

 This sample also does IP info gathering, which might actually be an interesting behavior to look for when searching sandbox results containing broker traffic. Bunch of malware does similar with various IP lookup sites.

 

ae0b5e6dd44ecce8bdc6e71c32f007011d9dd991540e7bbf3831c72f894f0325

Another Python sample. This one also does persistence the same way, using Startup folder.

 

C2 setup

 

Command execution ability

 

It also seems to have ability to open URL and go through files. 

 

71071750fa9c9e1d9305bbb9a1f1ed75ee86bf42c0d25c12def512aae3d8b097

This sample actually used TLS/SSL communication with the broker. This sample was also very simple, well besides encryption & encoding.  


0551b908ae6233a709107c5a787f47206ed174d01ce937cee7975c969fa1b23e

This sample was actually manipulating Defender, setting up persistence, and hiding itself.  

 

 

The sample apparently can run on linux as well.

 

 

FCTRL/secure is used for communication

 

 5e69317295f1c6bf0a545261d6a814cf77c0132dacbe340cb1e605ab49436c15

 This is another sample that seems to do a lot of odd things.

Scheduled task is used for persistence 

 

Recovery settings are changed.

 

 There are various commands/abilities that you're provided

 

pctrtl topic is used in this case.

 

07e4e006a2c76fd19143d95af25d22dfc65d971f4a63db0d06e751ad4ce20d22

Final Python sample. This one also had various abilities, like screenshot, persistence, keylogger, etc.. 

There are actually multiple samples I came across that used the topic/shared key shown in this sample.

Persistence

 

 

keylogging 

 

Commands/abilities

 

 

Golang samples

I found three samples that were similar and they are being detected by AV but I don't think I've seen any write ups when I was searching for some of the function names. 

There were probably the most interesting samples I saw. The issue is, I'm not sure how prevalent these are, how they're spreading, and who's using them and for what. 

486aab85f1445776580ae854c25be52198e7e120d454daa14ce8e54bddb1326d

ffd9273d8de6b9ba66adc5a2acff0761061cdb89e1d0f4ca972b86ed004b23af

b3c1b4c66b99f970c892770ad64899ddd625cfa99707d7e3b351793d3048e30c

Communication seems to be done with /commands/ topic.  

 

 File path artifacts for .go files

 

 

 

 There are multiple commands and abilities but one of those that stood out is ability to install AnyDesk

 

 

Here are some other abilities/commands but I didn't really dive deeper into them. They're self-explanatory.  

 

 

 

Others 

ea78ccfbe0b8e91ffa8eec30f79192b0dc89c3434775914ccc575705146e59e9

This sample was interesting. File was UPX packed. (technically golang) It seems to be doing some SQL testingThis was one of the samples I didn't fully analyze.

Besides the broker, this also connects to netlify.  spiffy-crepe-c667e8[.]netlify[.]app. VT has a comment for this domain: "NKNShell Malware Distributed via VPN Website" - https://asec.ahnlab.com/en/91139/

This malware uses NKN protocol (https://nkn.org/) as well. 



Tools used

I used Ghidra, Wireshark, and MQTTExplorer. Triage and Hybrid-analysis both provide sandbox results and pcaps, memory dumps, dropped files, etc... 
 
For Python-based samples specifically, I just used web-based tools (obviously be aware of what kinda data you're handling before uploading it to random sites...)
 
 
 
 

End

 
There are things I would do differently if I had more time and resources. Doing complex queries on VT Enterprise or sandbox data would be one of the things. Broker connection + other weird behavior would find interesting things to look at.  
 
The other I'd love to do is monitor broker for C2 traffic but I mainly avoid that to avoid dealing with cryptography/math and I'm not sure if I'd see much anyway.  
 
I also didn't look for any ELF files or standalone scripts. I think those might be interesting, especially scripts if you can look for specific imports.

This was fun to look into for a bit but there are other more important security issues going on, obviously. 
 

Shoutouts

 
Thanks to Hybrid-Analysis/Crowdstrike and RecordedFuture/Hatching Triage for researcher accounts! <3 
Posted by at

Use of MQTT in malware

I'm alive but very busy!! 
It's been 10 years since I started this blog.
 
Changed the blog theme to dark mode because it's easier on the eyes. 
 
If text formatting/spacing sucks or you can't see images, it's Bloggers fault.  


Intro

 
Note: I've had limited time to work on this. I took some time off to finish some training but wanted to finish this project as well since it's been sitting on my todo list for months. 
I'm not a professional malware analyst or threat intel person. I'm not super confident in my analysis. I also have a limited set of tools, services, and time. 
 

What is MQTT?
MQTT is a pub/sub protocol, sometimes in IOT. It involves a broker/server where publishers and subscribers connect to, in order to send and/or receive messages/data. 
 
Usually there will be a topic or "channel" where sub/pub can happen. You can use wildcard and monitor everything for a specific topic. 
 
These links provide better explanation: 
 
MQTT uses port 1883 for clear text traffic, 8883 for TLS/SSL, and 443 over websocket. 
 
Reason for looking into this
I looked at Tox before. I'm looking at MQTT now. It's another protocol that can be abused for C2, data transfer, etc... 

  
(a message I got on discord) 

I often discuss using free services for doing offsec/threat stuff. There are some projects that already cover some of these services:  https://lots-project.com/ & https://lolfsaas.github.io/

There are a bunch of MQTT brokers that can be used for testing and also can be abused. 
 
 
(image from some fancy quotes site that came up in google images) 
 
The other reason I looked into this was because I thought it'd be easy to find some malware family and monitor a public broker & topic for what the malware is doing and get a presentation or at least a blog post out of it... 
 
One of the benefits of malware using public brokers is that you can monitor the specific topic being used and MQTT supporting wildcard makes it much easier.  
 

Known activity

 
While doing research into MQTT use by malware, I found several articles talking about it. 
 
"WailingCrab’s core component is its backdoor, which is installed on the system only if the malware’s initial stages are completed successfully. Since mid-2023, WailingCrab’s backdoor component has communicated with the C2 using the MQTT protocol which is a lightweight IoT messaging protocol. MQTT uses a publish/subscribe architecture, whereby messages are published to ‘topics’ and received by subscribers, with message distribution handled by a centralized broker. In this instance, WailingCrab uses the legitimate, third-party broker, broker.emqx[.]io, which allows it to hide the true address of the C2 server." 
 
"MQsTTang is a barebones backdoor that allows the attacker to execute arbitrary commands on a victim’s machine and get the output. Even so, it does present some interesting characteristics. Chief among these is its use of the MQTT protocol for C&C communication." 
 
 
 
Prevalence
So MQTT is def used/abused by threat actors but I'm not sure about the prevalence as I don't really have enough data. This might be one of the reasons nobody really cares too much about this until they find a sample using MQTT, which is completely fair. 
 

Finding samples

 
To look for samples, I started by making a list of free brokers that you can use for testing/dev. If I was a threat actor, I'd just use the free brokers.
 
 
I started by searching the domains on VirusTotal, AnyRun, Tria.ge, and Hybrid-Analysis. 
 
I mainly focused on VirusTotal and started going through some of the referring files or connecting files. 
 
Hybrid-Analysis also lead to a few samples.  

One thing I messed up and wasted time on was looking through VT and saw a bunch of similar files in Referring files section. I thought I was onto something and found some interesting undetected malware. It turned out to be GONC (Golang-based netcat tool): https://github.com/threatexpert/gonc#used-public-serversstun--mqtt
 
One of the biggest issues with looking for samples, especially with VT free is that I found a bunch of stuff that was just devs using free services for their projects.
 
Ideally, I would look for communication with MQTT brokers AND some other activity such as sandbox behavior or file attributes or content with queries or samples I had on disk. 
 
I manually found some samples that I thought were interesting based on what I saw in VT behavior and in Triage analysis and focused on analyzing those.  
 
I also avoided ELF/linux stuff and MQTT over wss to make my life easier.

Potential detections 

 
Network traffic analysis
For detection, you could look for:
- traffic to brokers
- MQTT traffic
- traffic on default MQTT ports
- traffic content with specific topics or patterns on MQTT ports (with suricata or snort) 
 
File detection
I didn't think about this very much. I guess you can look at strings for broker domains or MQTT libraries being imported. 
Posted by at
Subscribe to: Posts (Atom)