ESET Analysis uncovers a marketing campaign by the APT group often known as Evasive Panda concentrating on a global NGO in China with malware delivered by updates of in style Chinese language software program
ESET researchers have found a marketing campaign that we attribute to the APT group often known as Evasive Panda, the place replace channels of reliable purposes had been mysteriously hijacked to ship the installer for the MgBot malware, Evasive Panda’s flagship backdoor.
- Customers in mainland China had been focused with malware delivered by updates for software program developed by Chinese language corporations.
- We analyze the competing hypotheses of how the malware may have been delivered to focused customers.
- With excessive confidence we attribute this exercise to the Evasive Panda APT group.
- We offer an summary of Evasive Panda’s signature backdoor MgBot and its toolkit of plugin modules.
Evasive Panda profile
Evasive Panda (also called BRONZE HIGHLAND and Daggerfly) is a Chinese language-speaking APT group, active since at least 2012. ESET Analysis has noticed the group conducting cyberespionage in opposition to people in mainland China, Hong Kong, Macao, and Nigeria. Authorities entities had been focused in China, Macao, and Southeast and East Asian international locations, particularly Myanmar, the Philippines, Taiwan, and Vietnam, whereas different organizations in China and Hong Kong had been additionally focused. In keeping with public reviews, the group has additionally focused unknown entities in Hong Kong, India, and Malaysia.
The group implements its personal customized malware framework with a modular structure that enables its backdoor, often known as MgBot, to obtain modules to spy on its victims and improve its capabilities.
Marketing campaign overview
In January 2022, we found that whereas performing updates, a reliable Chinese language utility had acquired an installer for the Evasive Panda MgBot backdoor. Throughout our investigation, we found that the malicious exercise went again to 2020.
Chinese language customers had been the main focus of this malicious exercise, which ESET telemetry exhibits beginning in 2020 and persevering with all through 2021. The focused customers had been situated within the Gansu, Guangdong, and Jiangsu provinces, as proven in Determine 1.
Determine 1. Map of China exhibiting the place customers had been focused
Nearly all of the Chinese language victims are members of a global NGO that operates in two of the beforehand talked about provinces.
One extra sufferer was additionally found to be situated within the nation of Nigeria.
Attribution
Evasive Panda makes use of a customized backdoor often known as MgBot, which was publicly documented in 2014 and has seen little evolution since then; to the perfect of our data, the backdoor has not been utilized by another group. On this cluster of malicious exercise, solely the MgBot malware was noticed deployed on victimized machines, together with its toolkit of plugins. Due to this fact, with excessive confidence we attribute this exercise to Evasive Panda.
Technical evaluation
Throughout our investigation, we found that when performing automated updates, a reliable utility software program part downloaded MgBot backdoor installers from reliable URLs and IP addresses.
In Desk 1, we offer the URL from the place the obtain originated, in accordance with ESET telemetry knowledge, together with the IP addresses of the servers, as resolved on the time by the person’s system; due to this fact, we imagine that these IP addresses are reliable. In keeping with passive DNS data, all of those IP addresses match the noticed domains, due to this fact we imagine that these IP addresses are reliable.
Desk 1. Malicious obtain areas in accordance with ESET telemetry
| URL | First seen | Area IP | ASN | Downloader |
|---|---|---|---|---|
| http://replace.browser.qq[.]com/qmbs/QQ/QQUrlMgr_QQ88_4296.exe | 2020‑11‑02 | 123.151.72[.]74 | AS58542 | QQUrlMgr.exe QQ.exe QQLive.exe QQCall<XX>.exe |
| 183.232.96[.]107 | AS56040 | |||
| 61.129.7[.]35 | AS4811 |
Hypotheses of compromise
After we analyzed the probability of a number of strategies that would clarify how the attackers managed to ship malware by reliable updates, we had been left with two eventualities: supply-chain compromise, and adversary-in-the-middle assaults. For each eventualities we may even consider antecedents of comparable assaults by different Chinese language-speaking APT teams.
Tencent QQ is a well-liked Chinese language chat and social media service. Within the subsequent sections, we’ll use the Tencent QQ Home windows consumer software program updater, QQUrlMgr.exe (listed in Desk 1), for our examples, provided that we have now the best variety of detections from downloads by this specific part.
Provide-chain compromise state of affairs
Given the focused nature of the assaults, we speculate that attackers would have wanted to compromise the QQ replace servers to introduce a mechanism to establish the focused customers to ship them the malware, filtering out non-targeted customers and delivering them reliable updates – we registered circumstances the place reliable updates had been downloaded by the identical abused protocols.
Whereas not an Evasive Panda case, a main instance of this kind of compromise is in our report Operation NightScout: Supply‑chain attack targets online gaming in Asia, the place attackers compromised the replace servers of a software program developer firm primarily based in Hong Kong. In keeping with our telemetry, greater than 100,000 customers had the BigNox software program put in, however solely 5 had malware delivered by an replace. We suspect that the attackers compromised the BigNox API on the replace server to answer to the updater part on the machines of focused customers with a URL to a server the place the attackers hosted their malware; non-targeted customers had been despatched the reliable replace URL.
Based mostly on that antecedent, in Determine 2 we illustrate how the supply-chain compromise state of affairs may have unfolded in accordance with observations in our telemetry. Nonetheless, we should warn the reader that that is purely hypothesis and primarily based on our static evaluation, with very restricted info, of QQUrlMgr.exe (SHA-1: DE4CD63FD7B1576E65E79D1D10839D676ED20C2B).
Determine 2. Sequence diagram of the hypothesized supply-chain compromise
It is usually value noting that in our analysis we had been by no means capable of retrieve a pattern of the XML “replace” knowledge – neither a reliable, nor a malicious, XML pattern – from the server contacted by QQUrlMgr.exe. The “replace test” URL is hardcoded, in obfuscated kind, within the executable, as proven in Determine 3.
Determine 3. Obfuscated URL within the reliable QQUrlMgr.exe binary
Deobfuscated, the whole replace test URL is:
http://c.gj.qq[.]com/fcgi-bin/busxml?busid=20&supplyid=30088&guid=CQEjCF9zN8Zdyzj5S6F1MC1RGUtw82B7yL+hpt9/gixzExnawV3y20xaEdtektfo&dm=0
The server responds with XML-formatted knowledge encoded with base64 and encrypted with an implementation of the TEA algorithm utilizing a 128-bit key. This knowledge comprises directions to obtain and execute a file, together with different info. Because the decryption key can be hardcoded, as proven in Determine 4, it could possibly be identified to the attackers.
Determine 4. Hardcoded key within the reliable QQUrlMgr.exe binary
QQUrlMgr.exe then downloads the indicated file, unencrypted, through HTTP and hashes its contents with the MD5 algorithm. The result’s checked in opposition to a hash current within the replace test response XML knowledge, as seen in Determine 5. If the hashes match, QQUrlMgr.exe executes the downloaded file. This reinforces our speculation that the attackers would wish to regulate the XML server-side mechanism within the replace server to have the ability to present the proper MD5 hash of the malware installer.
Determine 5. QQUrlMgr.exe code that orchestrates the obtain of the replace
We imagine that this state of affairs would clarify our observations; nonetheless, many questions are left unanswered. We reached out to Tencent’s Security Response Center to substantiate the legitimacy of the total URL from the place the malware was downloaded; replace.browser.qq[.]com is – on the time of writing – unreachable, however Tencent couldn’t verify whether or not the total URL was reliable.
Adversary-in-the-middle state of affairs
On 2022-06-02, Kaspersky revealed a research report in regards to the capabilities of the Chinese language-speaking LuoYu APT group and their WinDealer malware. Much like what we noticed on this cluster of Evasive Panda victims, their researchers discovered that, since 2020, victims of LuoYu had acquired the WinDealer malware by updates through the reliable utility qgametool.exe from the PPTV software program, additionally developed by a Chinese language firm.
WinDealer has a puzzling functionality: as a substitute of carrying a listing of established C&C servers to contact in case of a profitable compromise, it generates random IP addresses within the 13.62.0.0/15 and 111.120.0.0/14 ranges from China Telecom AS4134. Though a small coincidence, we observed that the IP addresses of the focused Chinese language customers on the time of receiving the MgBot malware had been on the AS4134 and AS4135 IP addresses ranges.
Potential explanations for what allows these capabilities for its C&C infrastructure are that LuoYu both management a considerable amount of units related to the IP addresses on these ranges, or that they can do adversary-in-the-middle (AitM) or attacker-on-the-side interception on the infrastructure of that individual AS.
AitM kinds of interception could be doable if the attackers – both LuoYu or Evasive Panda – had been capable of compromise weak units corresponding to routers or gateways. As an antecedent, in 2019 ESET researchers discovered that the Chinese language APT group often known as BlackTech was performing AitM assaults by compromised ASUS routers and delivering the Plead malware by ASUS WebStorage software program updates.
With entry to ISP spine infrastructure – by authorized or unlawful means – Evasive Panda would have the ability to intercept and reply to the replace requests carried out through HTTP, and even modify packets on the fly. In April 2023, Symantec researchers reported on Evasive Panda concentrating on a telecommunications group in Africa.
Wrap-up
In the end, with out additional proof, we can’t show or discard one speculation in favor of the opposite, provided that such capabilities are at hand for Chinese language APT teams.
Toolset
MgBot
MgBot is the first Home windows backdoor utilized by Evasive Panda, which in accordance with our findings has existed since at the least 2012 and, as talked about on this weblog submit, was publicly documented at VirusBulletin in 2014. It was developed in C++ with an object-oriented design, and has the capabilities to speak through TCP and UDP, and lengthen its performance through plugin modules.
MgBot’s installer and backdoor, and their performance, haven’t modified considerably because it was first documented. Its chain of execution is identical as described on this report by Malwarebytes from 2020.
MgBot Plugins
MgBot’s modular structure permits it to increase its performance by receiving and deploying modules on the compromised machine. Desk 2 lists the identified plugins and their performance. You will need to be aware that the plugins don’t have distinctive inner identification numbers; due to this fact we’re figuring out them right here by their DLL names on disk, which we have now by no means seen change.
Desk 2. Record of plugin DLL recordsdata
| Plugin DLL title | Overview |
|---|---|
| Kstrcs.dll | Keylogger. It solely actively logs keystrokes when the foreground window belongs to a course of named QQ.exe and the window title matches QQEdit. It is seemingly goal is the Tencent QQ chat utility. |
| sebasek.dll | File stealer. Has a configuration file that allows the gathering of recordsdata from completely different sources: HDDs, USB thumb drives, and CD-ROMs; in addition to standards primarily based on the file properties: filename should comprise a key phrase from a predefined listing, file dimension should be between an outlined a minimal and most dimension. |
| Cbmrpa.dll | Captures textual content copied to the clipboard and logs info from the USBSTOR registry key. |
| pRsm.dll | Captures enter and output audio streams. |
| mailLFPassword.dll | Credential stealer. Steals credentials from Outlook and Foxmail e mail consumer software program. |
| agentpwd.dll | Credential stealer. Steals credentials from Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP, amongst others. |
| qmsdp.dll | A fancy plugin designed to steal the content material from the Tencent QQ database that shops the person’s message historical past. That is achieved by in-memory patching of the software program part KernelUtils.dll and dropping a faux userenv.dll DLL. |
| wcdbcrk.dll | Data stealer for Tencent WeChat. |
| Gmck.dll | Cookies stealer for Firefox, Chrome, and Edge. |
Nearly all of the plugins are designed to steal info from extremely in style Chinese language purposes corresponding to QQ, WeChat, QQBrowser, and Foxmail – all of them purposes developed by Tencent.
Conclusion
We found a marketing campaign that we attribute to the Evasive Panda APT group, concentrating on customers in mainland China, delivering their MgBot backdoor by replace protocols of purposes from well-known Chinese language corporations. We additionally analyzed the plugins of the MgBot backdoor and located nearly all of them are designed to spy on customers of Chinese language software program by stealing credentials and knowledge.
IoCs
Information
| SHA-1 | Filename | Detection | Description |
|---|---|---|---|
| 10FB52E4A3D5D6BDA0D22BB7C962BDE95B8DA3DD | wcdbcrk.dll | Win32/Agent.VFT | MgBot info stealer plugin. |
| E5214AB93B3A1FC3993EF2B4AD04DFCC5400D5E2 | sebasek.dll | Win32/Agent.VFT | MgBot file stealer plugin. |
| D60EE17418CC4202BB57909BEC69A76BD318EEB4 | kstrcs.dll | Win32/Agent.VFT | MgBot keylogger plugin. |
| 2AC41FFCDE6C8409153DF22872D46CD259766903 | gmck.dll | Win32/Agent.VFT | MgBot cookie stealer plugin. |
| 0781A2B6EB656D110A3A8F60E8BCE9D407E4C4FF | qmsdp.dll | Win32/Agent.VFT | MgBot info stealer plugin. |
| 9D1ECBBE8637FED0D89FCA1AF35EA821277AD2E8 | pRsm.dll | Win32/Agent.VFT | MgBot audio seize plugin. |
| 22532A8C8594CD8A3294E68CEB56ACCF37A613B3 | cbmrpa.dll | Win32/Agent.ABUJ | MgBot clipboard textual content seize plugin. |
| 970BABE49945B98EFADA72B2314B25A008F75843 | agentpwd.dll | Win32/Agent.VFT | MgBot credential stealer plugin. |
| 8A98A023164B50DEC5126EDA270D394E06A144FF | maillfpassword.dll | Win32/Agent.VFT | MgBot credential stealer plugin. |
| 65B03630E186D9B6ADC663C313B44CA122CA2079 | QQUrlMgr_QQ88_4296.exe | Win32/Kryptik.HRRI | MgBot installer. |
Community
| IP | Supplier | First seen | Particulars |
|---|---|---|---|
| 122.10.88[.]226 | AS55933 Cloudie Restricted | 2020-07-09 | MgBot C&C server. |
| 122.10.90[.]12 | AS55933 Cloudie Restricted | 2020-09-14 | MgBot C&C server. |
MITRE ATT&CK methods
This desk was constructed utilizing version 12 of the MITRE ATT&CK framework.
| Tactic | ID | Identify | Description |
|---|---|---|---|
| Useful resource Improvement | T1583.004 | Purchase Infrastructure: Server | Evasive Panda acquired servers for use for C&C infrastructure. |
| T1587.001 | Develop Capabilities: Malware | Evasive Panda develops its customized MgBot backdoor and plugins, together with obfuscated loaders. | |
| Execution | T1059.003 | Command and Scripting Interpreter: Home windows Command Shell | MgBot’s installer launches the service from BAT recordsdata with the command web begin AppMgmt |
| T1106 | Native API | MgBot’s installer makes use of the CreateProcessInternalW API to execute rundll32.exe to load the backdoor DLL. | |
| T1569.002 | System Companies: Service Execution | MgBot is executed as a Home windows service. | |
| Persistence | T1543.003 | Create or Modify System Course of: Home windows Service | MgBot replaces the trail of the prevailing Software Administration service DLL with its personal. |
| Privilege Escalation | T1548.002 | Abuse Elevation Management Mechanism: Bypass Consumer Account Management | MgBot performs UAC Bypass. |
| Protection Evasion | T1140 | Deobfuscate/Decode Information or Data | MgBot’s installer decrypts an embedded CAB file that comprises the backdoor DLL. |
| T1112 | Modify Registry | MgBot modifies the registry for persistence. | |
| T1027 | Obfuscated Information or Data | MgBot’s installer comprises embedded malware recordsdata and encrypted strings. MgBot comprises encrypted strings. MgBot plugins comprise embedded DLL recordsdata. | |
| T1055.002 | Course of Injection: Moveable Executable Injection | MgBot can inject Moveable Executable recordsdata to distant processes. | |
| Credential Entry | T1555.003 | Credentials from Password Shops: Credentials from Net Browsers | MgBot plugin module agentpwd.dll steals credential from internet browsers. |
| T1539 | Steal Net Session Cookie | MgBot plugin module Gmck.dll steals cookies. | |
| Discovery | T1082 | System Data Discovery | MgBot collects system info. |
| T1016 | System Community Configuration Discovery | MgBot has the potential to get better community info. | |
| T1083 | File and Listing Discovery | MgBot has the potential of making file listings. | |
| Assortment | T1056.001 | Enter Seize: Keylogging | MgBot plugin module kstrcs.dll is a keylogger. |
| T1560.002 | Archive Collected Information: Archive through Library | MgBot’s plugin module sebasek.dll makes use of aPLib to compress recordsdata staged for exfiltration. | |
| T1123 | Audio Seize | MgBot’s plugin module pRsm.dll captures enter and output audio streams. | |
| T1119 | Automated Assortment | MgBot’s plugin modules seize knowledge from numerous sources. | |
| T1115 | Clipboard Information | MgBot’s plugin module Cbmrpa.dll captures textual content copied to the clipboard. | |
| T1025 | Information from Detachable Media | MgBot’s plugin module sebasek.dll collects recordsdata from detachable media. | |
| T1074.001 | Information Staged: Native Information Staging | MgBot’s plugin modules stage knowledge regionally on disk. | |
| T1114.001 | E-mail Assortment: Native E-mail Assortment | MgBot’s plugin modules are designed to steal credentials and e mail info from a number of purposes. | |
| T1113 | Display Seize | MgBot can seize screenshots. | |
| Command and Management | T1095 | Non-Software Layer Protocol | MgBot communicates with its C&C by TCP and UDP protocols. |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | MgBot performs exfiltration of collected knowledge through C&C. |
