HomeCyber BalkansChina Panda APT Infecting Windows And MacOS Users with Malware through Hacked...

China Panda APT Infecting Windows And MacOS Users with Malware through Hacked Websites

Published on

spot_img

Evasive Panda, also known as BRONZE HIGHLAND and Daggerfly, is a sophisticated Chinese-speaking APT group that has been conducting cyberespionage activities since at least 2012. The group has recently been identified targeting individuals in mainland China, Hong Kong, Macao, and Nigeria. Notably, Southeast and East Asian governments, including those in China, Macao, Myanmar, the Philippines, Taiwan, and Vietnam, were among the primary targets of these attacks.

According to reports from ESET researchers, since 2020, Evasive Panda has demonstrated the capability to execute adversary-in-the-middle attacks to propagate its backdoors by leveraging updates from legitimate software. The group employs a custom malware framework with a modular architecture, enabling its backdoor, known as MgBot, to receive modules that help in spying on victims and improving its capabilities.

Furthermore, a specific cyberespionage campaign by Evasive Panda has come to light since September 2023, targeting Tibetans. The campaign involved a supply-chain compromise that disseminated trojanized software installers catering to the Tibetan language community. Additionally, a strategic web compromise, commonly known as a watering hole, was utilized in this operation. The compromised website belonged to the Kagyu International Monlam Trust, an Indian organization that promotes Tibetan Buddhism globally.

The attackers employed malicious downloaders for macOS and Windows to infect visitors of the compromised website with MgBot as well as Nightdoor, another backdoor previously associated with Evasive Panda. MgBot is particularly potent in gathering extensive information about compromised systems, while Nightdoor, discovered in 2020, utilizes the Google Drive API or UDP for communication between the backdoor and its C&C server.

By installing a script on the compromised website, the attackers could ascertain the IP addresses of potential victims and deploy an intermediary downloader to their systems. The script would then send an HTTP request to verify the presence of the attacker’s downloader on the victim’s machine. If successful, a fake error page would prompt users to download a “fix” disguised as a certificate, designed to tailor to their specific operating systems.

Researchers believe that the attackers took advantage of the Monlam festival scheduled for January and February 2024 to compromise individuals visiting the infected website, which had turned into a watering hole. Various downloaders, droppers, and backdoors, including Nightdoor, were deployed by the attackers during this campaign to target networks in East Asia.

For enhanced protection against malware threats like those posed by Evasive Panda, solutions like Perimeter81 malware protection can prove to be crucial. By blocking Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, these security measures can safeguard networks from devastating cyberattacks.

As cyber threats continue to evolve, staying informed about cybersecurity news and developments is essential. To remain updated on the latest trends, whitepapers, and infographics in the cybersecurity realm, follow trusted sources like The Cybersecurity News on LinkedIn and Twitter. Enhancing cybersecurity awareness is crucial in combatting the growing threat of malicious actors in cyberspace.

Source link

Latest articles

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

 Attackers are once again abusing Google Ads to target people with info-stealing malware, this time...

Hackers allege to have infiltrated computer network of Israeli nuclear facility

An Iran-linked hacking group has declared that they successfully breached the computer network of...

Hacker allegedly uses white-hat approach to exploit crypto game for $4.6M

In a surprising turn of events, the food-themed crypto game Super Sushi Samurai fell...

Reducing Threats from the IABs Market

As ransomware attacks continue to escalate in frequency and severity, one of the key...

More like this

Attackers Abuse Google Ad Feature to Target Slack, Notion Users

 Attackers are once again abusing Google Ads to target people with info-stealing malware, this time...

Hackers allege to have infiltrated computer network of Israeli nuclear facility

An Iran-linked hacking group has declared that they successfully breached the computer network of...

Hacker allegedly uses white-hat approach to exploit crypto game for $4.6M

In a surprising turn of events, the food-themed crypto game Super Sushi Samurai fell...
en_USEnglish