BRATISLAVA, MONTREAL — April 26, 2023 — ESET researchers have discovered a campaign conducted by the APT group known as Evasive Panda, in which update channels of legitimate Chinese applications were hijacked to also deliver the installer for the MgBot malware, Evasive Panda’s flagship cyberespionage backdoor. Chinese users were the focus of this malicious activity, which ESET telemetry shows started in 2020. The targeted users were located in the Gansu, Guangdong, and Jiangsu provinces. The majority of the Chinese victims are members of an international non-governmental organizations (NGO).

In January 2022, ESET Research discovered that while performing updates, a legitimate Chinese application had received an installer for the Evasive Panda MgBot backdoor and that the same malicious actions had already taken place as far back as 2020 with several other legitimate applications developed by Chinese companies.

“Evasive Panda uses a custom backdoor known as MgBot that has seen little evolution since its discovery in 2014. To the best of our knowledge, the backdoor has not been used by any other group. Therefore, we attribute this activity to Evasive Panda with high confidence,” says ESET researcher Facundo Muñoz, who discovered this latest campaign. “During our investigation, we discovered that when performing automated updates, several legitimate application software components also downloaded MgBot backdoor installers from legitimate URLs and IP addresses,” explains Muñoz.

When ESET researchers analyzed the likelihood of several methods that could explain how the attackers managed to deliver malware through legitimate updates, two scenarios stood out: supply-chain compromises, and adversary-in-the-middle (AitM) attacks.

“Given the targeted nature of the attacks, we speculate that attackers would have needed to compromise the QQ update servers to introduce a mechanism to identify the targeted users in order to deliver the malware, and filtering out non-targeted users and delivering them legitimate updates. This is because we registered cases where legitimate updates were downloaded through the same abused protocols,” says Muñoz. “On the other hand, AitM approaches to interception would be possible if the attackers were able to compromise vulnerable devices such as routers or gateways and the attackers could have gained access to ISP infrastructure”.

MgBot’s modular architecture allows it to extend its functionality by receiving and deploying modules on the compromised machine. The functionalities of the backdoor include recording keystrokes; stealing files, credentials, and content from the Tencent messaging apps QQ and WeChat; and capturing both audio streams and text copied to the clipboard.

Evasive Panda (also known as BRONZE HIGHLAND and Daggerfly) is a Chinese-speaking APT group, active since at least 2012. ESET Research has observed the group conducting cyberespionage against individuals in mainland China, Hong Kong, Macao, and Nigeria. One victim of this campaign was verified to be located in Nigeria and was compromised through the Chinese software Mail Master by NetEase.

For more technical information about the latest Evasive Panda campaign, check out the blogpost “Evasive Panda APT group delivers malware via updates for popular Chinese software” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.

Map of China showing where users were targeted