![]() “Given the targeted nature of the attacks, we speculate that attackers would have needed to compromise the QQ update servers to introduce a mechanism to identify the targeted users in order to deliver the malware, and filtering out non-targeted users and delivering them legitimate updates. When ESET researchers analyzed the likelihood of several methods that could explain how the attackers managed to deliver malware through legitimate updates, two scenarios stood out: supply-chain compromises, and adversary-in-the-middle (AitM) attacks. “During our investigation, we discovered that when performing automated updates, several legitimate application software components also downloaded MgBot backdoor installers from legitimate URLs and IP addresses,” explains Muñoz. Therefore, we attribute this activity to Evasive Panda with high confidence,” says ESET researcher Facundo Muñoz, who discovered this latest campaign. To the best of our knowledge, the backdoor has not been used by any other group. “Evasive Panda uses a custom backdoor known as MgBot that has seen little evolution since its discovery in 2014. In January 2022, ESET Research discovered that while performing updates, a legitimate Chinese application had received an installer for the Evasive Panda MgBot backdoor and that the same malicious actions had already taken place as far back as 2020 with several other legitimate applications developed by Chinese companies. The majority of the Chinese victims are members of an international non-governmental organizations (NGO). The targeted users were located in the Gansu, Guangdong, and Jiangsu provinces. Chinese users were the focus of this malicious activity, which ESET telemetry shows started in 2020. The backdoor MgBot is used for cyberespionage.īRATISLAVA, MONTREAL - ApESET researchers have discovered a campaign conducted by the APT group known as Evasive Panda, in which update channels of legitimate Chinese applications were hijacked to also deliver the installer for the MgBot malware, Evasive Panda’s flagship cyberespionage backdoor.With high confidence, we attribute this activity to the Chinese-speaking Evasive Panda APT group.Users in mainland China at an international NGO were targeted with malware delivered through updates for software developed by Chinese companies.
0 Comments
Leave a Reply. |