Evasive Panda, also known as BRONZE HIGHLAND and Daggerfly, is a sophisticated Chinese-speaking APT group that has been conducting cyberespionage activities since at least 2012. The group has recently been identified targeting individuals in mainland China, Hong Kong, Macao, and Nigeria. Notably, Southeast and East Asian governments, including those in China, Macao, Myanmar, the Philippines, Taiwan, and Vietnam, were among the primary targets of these attacks.
According to reports from ESET researchers, since 2020, Evasive Panda has demonstrated the capability to execute adversary-in-the-middle attacks to propagate its backdoors by leveraging updates from legitimate software. The group employs a custom malware framework with a modular architecture, enabling its backdoor, known as MgBot, to receive modules that help in spying on victims and improving its capabilities.
Furthermore, a specific cyberespionage campaign by Evasive Panda has come to light since September 2023, targeting Tibetans. The campaign involved a supply-chain compromise that disseminated trojanized software installers catering to the Tibetan language community. Additionally, a strategic web compromise, commonly known as a watering hole, was utilized in this operation. The compromised website belonged to the Kagyu International Monlam Trust, an Indian organization that promotes Tibetan Buddhism globally.
The attackers employed malicious downloaders for macOS and Windows to infect visitors of the compromised website with MgBot as well as Nightdoor, another backdoor previously associated with Evasive Panda. MgBot is particularly potent in gathering extensive information about compromised systems, while Nightdoor, discovered in 2020, utilizes the Google Drive API or UDP for communication between the backdoor and its C&C server.
By installing a script on the compromised website, the attackers could ascertain the IP addresses of potential victims and deploy an intermediary downloader to their systems. The script would then send an HTTP request to verify the presence of the attacker’s downloader on the victim’s machine. If successful, a fake error page would prompt users to download a “fix” disguised as a certificate, designed to tailor to their specific operating systems.
Researchers believe that the attackers took advantage of the Monlam festival scheduled for January and February 2024 to compromise individuals visiting the infected website, which had turned into a watering hole. Various downloaders, droppers, and backdoors, including Nightdoor, were deployed by the attackers during this campaign to target networks in East Asia.
For enhanced protection against malware threats like those posed by Evasive Panda, solutions like Perimeter81 malware protection can prove to be crucial. By blocking Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, these security measures can safeguard networks from devastating cyberattacks.
As cyber threats continue to evolve, staying informed about cybersecurity news and developments is essential. To remain updated on the latest trends, whitepapers, and infographics in the cybersecurity realm, follow trusted sources like The Cybersecurity News on LinkedIn and Twitter. Enhancing cybersecurity awareness is crucial in combatting the growing threat of malicious actors in cyberspace.