ESET researchers have uncovered a cyber espionage campaign in which the APT group, Evasive Panda, hijacked the update channels of legitimate Chinese applications to deliver their flagship malware, the MgBot backdoor. According to ESET telemetry, the targeted users were primarily located in the Chinese provinces of Gansu, Guangdong, and Jiangsu and were members of international non-governmental organizations (NGOs). This malicious activity began in 2020 and continued until at least January 2022.
Facundo Muñoz, an ESET researcher who discovered the latest campaign, explained that Evasive Panda used MgBot, a custom backdoor that has remained relatively unchanged since its discovery in 2014. Muñoz added that the backdoor has not been used by any other group, thus attributing the activity to Evasive Panda with high confidence.
ESET researchers analyzed the possibility of two scenarios that could explain how the attackers delivered malware through legitimate updates: supply-chain compromises and adversary-in-the-middle (AitM) attacks. The team believes that the attackers compromised the QQ update servers, introducing a mechanism to identify the targeted users, deliver the malware, and filter out non-targeted users for legitimate updates.
MgBot’s modular architecture enables it to extend its functionality by receiving and deploying modules on the compromised machine. The malware can record keystrokes, steal files, credentials, and content from Tencent messaging apps QQ and WeChat, and capture audio streams and text copied to the clipboard.
Evasive Panda, also known as BRONZE HIGHLAND and Daggerfly, is a Chinese-speaking APT group that has been active since at least 2012. The group has conducted cyber espionage against individuals in mainland China, Hong Kong, Macao, and Nigeria. ESET researchers confirmed that one victim of this campaign was located in Nigeria and was compromised through the Chinese software Mail Master by NetEase.
ESET advises users to install security software and keep it up-to-date, regularly back up their data, and use multi-factor authentication. Additionally, users should be cautious when downloading software updates and verify that they are legitimate by checking the software publisher’s official website.
You must log in to post a comment.