Evasive Panda’s malicious campaign uses the update channels of legitimate Chinese applications to deliver their infamous backdoor, MgBot malware, to unsuspecting victims.
Researchers at ESET have recently uncovered a new cyber attack campaign linked to the notorious APT group Evasive Panda.
The team’s trademark is the use of the custom MgBot modular malware framework, which is able to receive addons components on the move to expand its intelligence-gathering capabilities.
Know about Evasive Panda?
Evasive Panda (also known as BRONZE HIGHLAND and Daggerfly) is a Chinese-speaking APT group actively targeting individuals and government entities across multiple countries since at least 2012.Their previous targets include China, Macao, Nigeria, and Southeast and East Asian countries.
The latest Evasive Panda’s malicious campaign mostly concentrated in the Gansu, Guangdong, and Jiangsu provinces of China, focusing on members of an international NGO operating within two of these provinces.
However, it points to one of two scenarios, a supply chain compromise of Tencent QQ’s update servers or an adversary-in-the-middle case , as reported by Kaspersky in June 2022, involving a Chinese hacking crew named LuoYu.
According to the report, the malware used by Daggerfly in the recent campaign is highly sophisticated and difficult to detect.
IOCS
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| 10FB52E4A3D5D6BDA0D22BB7C962BDE95B8DA3DD | wcdbcrk.dll | Win32/Agent.VFT | MgBot information stealer plugin. |
| E5214AB93B3A1FC3993EF2B4AD04DFCC5400D5E2 | sebasek.dll | Win32/Agent.VFT | MgBot file stealer plugin. |
| D60EE17418CC4202BB57909BEC69A76BD318EEB4 | kstrcs.dll | Win32/Agent.VFT | MgBot keylogger plugin. |
| 2AC41FFCDE6C8409153DF22872D46CD259766903 | gmck.dll | Win32/Agent.VFT | MgBot cookie stealer plugin. |
| 0781A2B6EB656D110A3A8F60E8BCE9D407E4C4FF | qmsdp.dll | Win32/Agent.VFT | MgBot information stealer plugin. |
| 9D1ECBBE8637FED0D89FCA1AF35EA821277AD2E8 | pRsm.dll | Win32/Agent.VFT | MgBot audio capture plugin. |
| 22532A8C8594CD8A3294E68CEB56ACCF37A613B3 | cbmrpa.dll | Win32/Agent.ABUJ | MgBot clipboard text capture plugin. |
| 970BABE49945B98EFADA72B2314B25A008F75843 | agentpwd.dll | Win32/Agent.VFT | MgBot credential stealer plugin. |
| 8A98A023164B50DEC5126EDA270D394E06A144FF | maillfpassword.dll | Win32/Agent.VFT | MgBot credential stealer plugin. |
| 65B03630E186D9B6ADC663C313B44CA122CA2079 | QQUrlMgr_QQ88_4296.exe | Win32/Kryptik.HRRI | MgBot installer. |
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment