The advanced persistent threat group (APT) is referred to as The evasive panda has been observed targeting international non-governmental organizations (NGOs) in Mainland China with malware delivered via legitimate app update channels such as Tencent QQ.
The attack chain is designed to distribute the Windows installer for the MgBot malware, says ESET security researcher Facundo Muñoz in a new report. report published today. These activities began in November 2020 and will continue throughout 2021.
Evasive Panda, also known as Bronze Plateau and Daggerfly, is a Chinese-speaking APT group associated with a series cyber espionage attacks targeting entities in China, Hong Kong and other countries located in East and South Asia since at least late December 2012.
A hallmark of this group is the use of the special MgBot modular malware framework, capable of receiving additional components on the fly to expand its intelligence-gathering capabilities.
Some of the prominent capabilities of the malware include stealing files, logging keystrokes, harvesting clipboard data, recording audio streams, and stealing credentials from web browsers.
ESET, which discovered the campaign in January 2022 after a legitimate Chinese app was used to deploy installers for the MgBot backdoor, said the targeted users were in the provinces of Gansu, Guangdong and Jiangsu and were members of an unnamed international NGO.
The trojan application is a Tencent QQ Windows client software updater (“QQUrlMgr.exe”) hosted on the domain “update.browser.qq(.)com.” It wasn’t immediately clear how the threat actor managed to deliver the implant via a legitimate update.
But that points to one of two scenarios: a supply chain compromise of Tencent QQ update servers or a case of an enemy-in-the-middle (AitM) attack, as detailed by Kaspersky in June 2022 involving a Chinese hacking crew dubbed LuoYu.
In recent years, many software supply chain attacks have been orchestrated by groups of nation-states from Russia, China, and North Korea. Ability to get a big dangerous trail fast has not lost on these attackers, who are increasingly targeting IT supply chains to penetrate enterprise environments.
“AitM style of interception will be possible if an attacker – be it LuoYu or Evasive Panda – is able to compromise a vulnerable device such as a router or gateway,” explained Muñoz.
“With access to the ISP’s backbone infrastructure – through legal or illegal means – Evasive Panda will be able to intercept and reply to update requests made via HTTP, or even modify packets.”
This is important because the findings come less than a week after a detailed attack by a threat actor on Symantec’s Broadcom’s own against telecom service providers in Africa using the MgBot malware framework.