ESET Research: Chinese-speaking Evasive Panda group spreads malware via updates of legitimate apps and targets NGO in China
Created: 2023-04-28 08:07:15
- Users in mainland China at an international NGO were targeted with malware delivered through updates for software developed by Chinese companies.
- With high confidence, we attribute this activity to the Chinese-speaking Evasive Panda APT group.
- The backdoor MgBot is used for cyberespionage.
BRATISLAVA, MONTREAL — April 26, 2023 — ESET researchers have discovered a campaign conducted by the APT group known as Evasive Panda, in which update channels of legitimate Chinese applications were hijacked to also deliver the installer for the MgBot malware, Evasive Panda’s flagship cyberespionage backdoor. Chinese users were the focus of this malicious activity, which ESET telemetry shows started in 2020. The targeted users were located in the Gansu, Guangdong, and Jiangsu provinces. The majority of the Chinese victims are members of an international non-governmental organizations (NGO).
In January 2022, ESET Research discovered that while performing updates, a legitimate Chinese application had received an installer for the Evasive Panda MgBot backdoor and that the same malicious actions had already taken place as far back as 2020 with several other legitimate applications developed by Chinese companies.
“Evasive Panda uses a custom backdoor known as MgBot that has seen little evolution since its discovery in 2014. To the best of our knowledge, the backdoor has not been used by any other group. Therefore, we attribute this activity to Evasive Panda with high confidence,” says ESET researcher Facundo Muñoz, who discovered this latest campaign. “During our investigation, we discovered that when performing automated updates, several legitimate application software components also downloaded MgBot backdoor installers from legitimate URLs and IP addresses,” explains Muñoz.
When ESET researchers analyzed the likelihood of several methods that could explain how the attackers managed to deliver malware through legitimate updates, two scenarios stood out: supply-chain compromises, and adversary-in-the-middle (AitM) attacks.
“Given the targeted nature of the attacks, we speculate that attackers would have needed to compromise the QQ update servers to introduce a mechanism to identify the targeted users in order to deliver the malware, and filtering out non-targeted users and delivering them legitimate updates. This is because we registered cases where legitimate updates were downloaded through the same abused protocols,” says Muñoz. “On the other hand, AitM approaches to interception would be possible if the attackers were able to compromise vulnerable devices such as routers or gateways and the attackers could have gained access to ISP infrastructure”.
MgBot’s modular architecture allows it to extend its functionality by receiving and deploying modules on the compromised machine. The functionalities of the backdoor include recording keystrokes; stealing files, credentials, and content from the Tencent messaging apps QQ and WeChat; and capturing both audio streams and text copied to the clipboard.
Evasive Panda (also known as BRONZE HIGHLAND and Daggerfly) is a Chinese-speaking APT group, active since at least 2012. ESET Research has observed the group conducting cyberespionage against individuals in mainland China, Hong Kong, Macao, and Nigeria. One victim of this campaign was verified to be located in Nigeria and was compromised through the Chinese software Mail Master by NetEase.
For more technical information about the latest Evasive Panda campaign, check out the blogpost “Evasive Panda APT group delivers malware via updates for popular Chinese software” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.
Map of China showing where users were targeted
About ESET
ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. ESET pioneered and continues to lead the industry in proactive threat detection. ESET NOD32 Antivirus, its flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security. ESET Smart Security is an integrated antivirus, antispyware, antispam and personal firewall solution that combines accuracy, speed and an extremely small system footprint to create the most effective security solution in the industry. Both products have an extremely efficient code base that eliminates the unnecessary large size found in some solutions. This means faster scanning that doesn’t slow down computers or networks. Sold in more than 160 countries, ESET has worldwide production headquarters in Bratislava, SK and worldwide distribution headquarters in San Diego, U.S. ESET also has offices in Bristol, U.K.; Buenos Aires, AR; Prague, CZ; and is globally represented by an extensive partner network. For more information, visit our local office at https://eset.version-2.sg.
About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The Company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which includes Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities. For more information, please visit https://www.version-2.com.sg/ or call (65) 6296-4268.