Researchers at ESET have recently uncovered a new cyber attack campaign linked to the notorious APT group Evasive Panda.
According to the researchers, Evasive Panda’s malicious campaign uses the update channels of legitimate Chinese applications to deliver their infamous backdoor, MgBot malware, to unsuspecting victims.
“In January 2022, we discovered that while performing updates, a legitimate Chinese application had received an installer for the Evasive Panda MgBot backdoor. During our investigation, we discovered that the malicious activity went back to 2020,” wrote ESET researcher Facundo Muñoz.
“Chinese users were the focus of this malicious activity, which ESET telemetry shows starting in 2020 and continuing throughout 2021.”
ESET’s in-depth analysis of Evasive Panda’s malicious campaign has led them to identify Evasive Panda as the perpetrator confidently.
Evasive Panda (also known as BRONZE HIGHLAND and Daggerfly) is a Chinese-speaking APT group actively targeting individuals and government entities across multiple countries since at least 2012.
Their previous targets include China, Macao, Nigeria, and Southeast and East Asian countries.
Evasive Panda’s malicious campaign
ESET’s team of researchers has uncovered a series of targeted cyber attacks explicitly aimed at Chinese users, which began in 2020 and persisted throughout 2021.
The latest Evasive Panda’s malicious campaign mostly concentrated in the Gansu, Guangdong, and Jiangsu provinces of China, focusing on members of an international NGO operating within two of these provinces.
ESET’s data also revealed at least one additional victim in Nigeria, indicating that the group responsible for the attacks was interested in expanding its reach beyond China.
The precise tactics and motives of Evasive Panda’s malicious campaign remain under investigation, but ESET’s findings provide valuable insight into the scope and scale of their operations.
Technical analysis of Evasive Panda
Evasive Panda’s backdoor, MgBot, has been known to security researchers since 2014 and has undergone very little change.
However, its modular architecture allows the backdoor to receive additional modules that can improve its spying capabilities and overall effectiveness.
During their investigation, ESET researchers discovered that automated updates for legitimate software applications were being leveraged to download MgBot backdoor installers from seemingly legitimate URLs and IP addresses.
To explain how the attackers could deliver malware through legitimate updates, ESET researchers considered several possible methods, ultimately focusing on two distinct scenarios: supply-chain compromise and adversary-in-the-middle attacks.
A supply-chain compromise would require the attackers to have gained access to the update servers, allowing them to target users while delivering legitimate updates to everyone else precisely.
While other Chinese-speaking APT groups have used this method in the past, ESET researchers warn that the limited information they have gathered on Evasive Panda’s malicious campaign and related ones makes it difficult to confirm this hypothesis.
Alternatively, an adversary-in-the-middle scenario involves attackers intercepting legitimate update requests and delivering malware to targeted users while delivering legitimate updates to non-targeted users.
ESET researchers caution that they do not have any concrete evidence to support this scenario either.
This situation of the Evasive Panda campaign underscores the importance of having robust cybersecurity measures in place and remaining vigilant against potential threats.
As APT groups continue to evolve and refine their tactics, it is more important than ever for organizations and individuals to stay updated with the latest cybersecurity trends and best practices to ensure they are protected against such attacks.
Similarly, Symantec recently flagged a malicious campaign by the Evasive Panda on African telecom service providers.
The group is believed to be responsible for a series of highly targeted cyberattacks against specific industries in the Middle East, Europe and Africa.
The latest campaign saw the group employ a range of tactics and techniques, including the use of social engineering, spear-phishing and custom-built malware.
Researchers from the Threat Hunter Team at Symantec, by Broadcom Software, found multiple unique plugins associated with the MgBot modular malware framework on the victim’s network,” said a report by Symantek.
“The attackers were also seen using a PlugX loader and abusing the legitimate AnyDesk remote desktop software. Use of the MgBot modular malware framework and PlugX loader have been associated in the past with China-linked APTs.
Evasive panda, also known as Daggerfly or APT39, is believed to be supported by the Iranian government.
The group’s campaign against African telecom service providers involved the use of fake job ads on LinkedIn and other social media platforms to target employees of the companies.
Once a victim was identified, Daggerfly would send a spear-phishing email containing a malicious attachment that would infect the victim’s system with malware.
According to the report, the malware used by Daggerfly in the recent campaign is highly sophisticated and difficult to detect.
It is designed to evade detection by traditional antivirus software and uses a range of techniques to hide its activity on the victim’s system.
The malware is also capable of stealing sensitive data and exfiltrating it to remote servers controlled by the attackers.
