China-based advanced persistent threat (APT) group Evasive Panda has been found to have targeted an international non-governmental organisation (NGO) with malware delivered through updates to popular Chinese software. Slovakian cybersecurity firm ESET Research detected the campaign, which showed that update channels of legitimate applications had been hijacked to deliver the installer for the MgBot malware, Evasive Panda’s flagship backdoor. Telemetry from ESET showed that Chinese users were the focus of the campaign, which ran from 2020 to 2021 and targeted members of an international NGO operating in Gansu, Guangdong and Jiangsu provinces. One other victim was found in Nigeria.
Evasive Panda, also known as Bronze Highland and Daggerfly, has been active since at least 2012 and uses a custom malware framework with a modular architecture that allows its backdoor to spy on its victims and enhance its capabilities. Only the MgBot malware was observed in this case, along with its toolkit of plugins.
ESET researchers analyzed several methods that could have been used to deliver the malware through legitimate updates. They concluded that two scenarios were most likely: supply-chain compromise and adversary-in-the-middle attacks. Supply-chain compromise would involve the attackers compromising update servers to introduce a mechanism to identify the targeted users and deliver them the malware, while adversary-in-the-middle attacks would involve the attackers intercepting traffic between a client and server to deliver the malware.
In the case of the supply-chain compromise scenario, ESET speculated that the attackers may have compromised the qq update servers, a popular Chinese chat and social media service, to reply to the updater component on targeted users’ machines with a URL to a server where the attackers hosted their malware, while non-targeted users were sent the legitimate update URL. ESET reached out to Tencent’s Security Response Center to confirm the legitimacy of the URL but received no confirmation.
Evasive Panda was previously linked to attacks against government entities in China, Macao, and Southeast and East Asian countries, as well as against other organisations in China and Hong Kong. The group’s command-and-control infrastructure has been observed to use IP addresses in China Telecom AS4134 and AS4135 ranges.