ESET security researchers have observed a new malware campaign by the APT group known as Evasive Panda (as well as Daggerfly and Bronze Highland), relying on a custom backdoor known as MgBot.
“To our knowledge, the backdoor has not been used by any other group,” ESET Security Intelligence Analyst and Malware Researcher Facundo Munoz said in an advisory published today. “In this cluster of malicious activity, we only saw the MgBot malware deployed on the victim machine along with a toolkit of plugins.”
The new campaign was first spotted by ESET in January 2022, but further investigation indicated malicious activity associated with the threat actor was detected dating back to 2020.
“Users in China were at the center of this malicious activity, and ESET telemetry shows this to be ongoing through 2020 and 2021,” Muñoz explains. “Most of the Chinese victims are members of international NGOs.”
During the investigation, the ESET team discovered that a legitimate application software component secretly downloaded the MgBot backdoor installer from URLs and IP addresses during automatic updates.
“After analyzing several possible methods that could explain how attackers deliver malware through legitimate updates, we were left with two scenarios: supply chain compromise and man-in-the-middle attacks,” said Muñoz. I am writing.
As for MgBot, ESET security experts say it is the main Windows backdoor used by Evasive Panda.
“It was developed in C++ with an object-oriented design, communicates over TCP and UDP, and has the ability to extend its functionality through plugin modules.”
The list of modules (DLL files) includes Kstrcs keylogger, sebasek file stealer, Cbmrpa clipboard logger, pRsm audio stream capturer, mailLFPassword and agentpwd credential stealer, qmsdp Tencent QQ database stealer, wcdbcrk Tencent WeChat information stealer, and Gmck cookie stealer.
More information on modular malware can be found here: Modular ‘AlienFox’ toolkit used to steal cloud service credentials
“Most of the plugins are designed to steal information from very popular Chinese applications such as QQ, WeChat, QQBrowser, Foxmail, etc. These are all applications developed by Tencent,” said Muñoz. Added.
See the advisory for details on each module. The release comes just days after Symantec published another analysis detailing the Evasive Panda campaign targeting a telecommunications company in Africa.
