ESET Research: Chinese-speaking Evasive Panda group spreads malware via updates of legitimate apps and targets NGO in China

Next story
  • Users in mainland China at an international NGO were targeted with malware delivered through updates for software developed by Chinese companies.
  • With high confidence, we attribute this activity to the Chinese-speaking Evasive Panda APT group.
  • The backdoor MgBot is used for cyberespionage. 

ESET researchers have discovered a campaign by the APT group Evasive Panda, in which update channels of legitimate Chinese applications were hijacked to deliver the installer for the MgBot malware, Evasive Panda’s flagship cyberespionage backdoor. Chinese users were the focus of this malicious activity, which ESET telemetry shows started in 2020. The targeted users were in the Gansu, Guangdong, and Jiangsu provinces. Most Chinese victims are members of an international non-governmental organisation (NGO). 

In January 2022, ESET Research discovered that while performing updates, a legitimate Chinese application had received an installer for the Evasive Panda MgBot backdoor and that the same malicious actions had already taken place as far back as 2020 with several other legitimate applications developed by Chinese companies. 

“Evasive Panda uses a custom backdoor known as MgBot that has seen little evolution since its discovery in 2014. To our knowledge, the backdoor has not been used by any other group. Therefore, we attribute this activity to Evasive Panda with high confidence,” says ESET researcher Facundo Muñoz, who discovered this latest campaign. “During our investigation, we discovered that when performing automated updates, several legitimate application software components also downloaded MgBot backdoor installers from legitimate URLs and IP addresses,” explains Muñoz. 

When ESET researchers analysed the likelihood of several methods that could explain how the attackers managed to deliver malware through legitimate updates, two scenarios stood out: supply-chain compromises and adversary-in-the-middle (AitM) attacks. 

“Given the targeted nature of the attacks, we speculate that attackers would have needed to compromise the QQ update servers to introduce a mechanism to identify the targeted users to deliver the malware, filter out non-targeted users, and deliver them legitimate updates. This is because we registered cases where legitimate updates were downloaded through the same abused protocols,” says Muñoz. “On the other hand, AitM approaches to interception would be possible if the attackers could compromise vulnerable devices such as routers or gateways and the attackers could have gained access to ISP infrastructure”.

MgBot’s modular architecture allows it to extend its functionality by receiving and deploying modules on the compromised machine. The functionalities of the backdoor include recording keystrokes; stealing files, credentials, and content from the Tencent messaging apps QQ and WeChat; and capturing audio streams and text copied to the clipboard.

Evasive Panda (also known as BRONZE HIGHLAND and Daggerfly) is a Chinese-speaking APT group, active since at least 2012. ESET Research has observed the group conducting cyber espionage against individuals in mainland China, Hong Kong, Macao, and Nigeria. One victim of this campaign was verified to be located in Nigeria and was compromised through the Chinese software Mail Master by NetEase. 

For more technical information about the latest Evasive Panda campaign, check out the blogpost “Evasive Panda APT group delivers malware via updates for popular Chinese software” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.