APT group Evasive Panda hacked update channels of legitimate Chinese apps and then specifically spied on members of an NGO - non-governmental organization. According to ESET, the MgBot backdoor entered the network via automatic updating.
Researchers at IT security manufacturer ESET have uncovered a new sophisticated campaign by the APT (Advanced Persistent Threat) group Evasive Panda. This hacked the update channels of legitimate Chinese apps to distribute the MgBot malware installer. Chinese users were the focus of this activity, which according to ESET telemetry started as early as 2020. The affected users were located in the provinces of Gansu, Guangdong and Jiangsu and were members of an international non-governmental organization (NGO).
Backdoor known as MgBot since 2014
“Evasive Panda uses a backdoor called MgBot that has seen little development since it was discovered in 2014. As far as we know, this malicious program has not been used by any other group so far. Therefore, we can attribute this activity to Evasive Panda with great certainty,” says ESET researcher Facundo Muñoz, who spotted the recent campaign. "During our investigation, we found that running automatic updates of legitimate software also downloaded MgBot backdoor installers from clean URLs and IP addresses."
Due to its modular architecture, MgBot can expand its functionality once the malicious code is installed on the compromised computer. The backdoor's capabilities include recording keystrokes, stealing files, login credentials, and content from Tencent messaging apps QQ and WeChat, as well as recording audio streams and text copied to the clipboard.
Chain of attack not quite clear yet
How the attackers managed to inject malware via legitimate updates is not XNUMX% certain. The ESET researchers suspect with high probability either a compromise of the supply chain or so-called AitM attacks (adversary-in-the-middle).
"Due to the targeted nature of the attacks, we assume that the hackers compromised the QQ update servers. This was the only way they could implement a mechanism with which users could be specifically identified and the malware delivered. Indeed, we have registered cases where legitimate updates were downloaded via the same abused protocols,” says Muñoz. “On the other hand, AitM approaches to interception would be possible. However, this assumes that the attackers manipulated vulnerable devices such as routers or gateways and had access to the ISP infrastructure.”
About the APT group Evasive Panda
Evasive Panda (aka BRONZE HIGHLAND and Daggerfly) is a Chinese-language APT group active since at least 2012. It conducts extensive cyberespionage against individuals in mainland China, Hong Kong, Macau and Nigeria. One victim of the current campaign was proven to be in Nigeria and was compromised via NetEase's Chinese software Mail Master.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.