ESET researchers have uncovered a cyber espionage campaign in which the APT group, Evasive Panda, hijacked the update channels of legitimate Chinese applications to deliver their flagship malware, the MgBot backdoor. According to ESET telemetry, the targeted users were primarily located in the Chinese provinces of Gansu, Guangdong, and Jiangsu and were members of international non-governmental organizations (NGOs). This malicious activity began in 2020 and continued until at least January 2022.

Facundo Muñoz, an ESET researcher who discovered the latest campaign, explained that Evasive Panda used MgBot, a custom backdoor that has remained relatively unchanged since its discovery in 2014. Muñoz added that the backdoor has not been used by any other group, thus attributing the activity to Evasive Panda with high confidence.

ESET researchers analyzed the possibility of two scenarios that could explain how the attackers delivered malware through legitimate updates: supply-chain compromises and adversary-in-the-middle (AitM) attacks. The team believes that the attackers compromised the QQ update servers, introducing a mechanism to identify the targeted users, deliver the malware, and filter out non-targeted users for legitimate updates.

MgBot’s modular architecture enables it to extend its functionality by receiving and deploying modules on the compromised machine. The malware can record keystrokes, steal files, credentials, and content from Tencent messaging apps QQ and WeChat, and capture audio streams and text copied to the clipboard.

Image by ESET

Evasive Panda, also known as BRONZE HIGHLAND and Daggerfly, is a Chinese-speaking APT group that has been active since at least 2012. The group has conducted cyber espionage against individuals in mainland China, Hong Kong, Macao, and Nigeria. ESET researchers confirmed that one victim of this campaign was located in Nigeria and was compromised through the Chinese software Mail Master by NetEase.

ESET advises users to install security software and keep it up-to-date, regularly back up their data, and use multi-factor authentication. Additionally, users should be cautious when downloading software updates and verify that they are legitimate by checking the software publisher’s official website.

Mark Ko

Mark Ko

Besides tech, I love chicken rice. Point me in the right direction and I'll go and try it. :)
Previous post Dropbox Releases New Video Collaboration Tool ‘Replay’ to Alleviate Feedback Hassles and Save Time
Next post Razer Unveils the Enhanced 2023 BlackShark V2 Pro Esports Headset with HyperClear Super Wideband Mic and Pro-Tuned FPS Audio Profiles.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: