Evasive Panda, an advanced persistent threat (APT) group of Chinese origin, is enhancing its espionage capabilities by refining and expanding malware targeting various operating systems (OSes). Known as “Daggerfly” according to Symantec, the group has a history of targeting telecommunications companies, government agencies, NGOs, universities, and individuals of interest to the Chinese government. Recent attacks have primarily focused on targets in Taiwan, with one incident involving an American NGO in China.
While Evasive Panda’s choice of victims is consistent, the diversity of platforms it targets for its malicious activities is notable. In addition to Windows and macOS, the group has been observed Trojanizing Android Package Kits (APKs), creating SMS and DNS interception tools, as well as developing malware for Linux and Solaris OS.
According to Dick O’Brien, the principal intelligence analyst for the Symantec threat hunter team, Evasive Panda’s ability to develop malware for multiple platforms sets it apart from other APT groups. O’Brien noted that while most groups target a limited number of platforms, Evasive Panda’s ambition and expertise allow it to cover a wide range, including niche platforms like Solaris.
Evasive Panda, which has been active for at least a decade, continuously updates its toolkit with custom malware designed for different OSes. One of its most well-known tools is the modular MgBot malware, used in recent attacks against targets like the China-based American NGO and an African telecoms operator in 2023. The group has also been linked to watering hole attacks in late 2022, where it collaborated with a newer tool called “Nightdoor,” identified as “Trojan.Suzafk” by Symantec.
Nightdoor is deployed on infected systems alongside the legitimate DAEMON Tools Lite program and a DLL for persistence via scheduled tasks. The final payload is a multi-stage backdoor that communicates through TCP or OneDrive for command-and-control, featuring the open-source tool “al-khaser” to evade detection.
When targeting Mac devices, Evasive Panda leverages the Macma backdoor, which has been in use for over five years. Macma has been used in various watering hole attacks, including incidents involving media and protestors advocating for Hong Kong’s independence. The backdoor is capable of device fingerprinting, file upload and download, keystroke and screenshot capture, and audio recording.
In addition to developing new backdoors, Evasive Panda has recently updated Macma with minor modifications, indicating a continuous cycle of iterative development. These enhancements not only assist in avoiding detection by altering the malware’s signature but also demonstrate the group’s capability for ongoing improvement and bug-fixing.
Overall, Evasive Panda’s evolving tactics and diverse targeting of multiple OS platforms highlight the group’s sophistication and adaptability in carrying out espionage activities. As cybersecurity threats continue to evolve, organizations must remain vigilant and proactive in defending against such malicious actors.