www.welivesecurity.com Open in urlscan Pro
2a02:26f0:780::210:ca08 Public Scan

Back to summary

URL:
https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/
Submission: On April 27 via api (April 27th 2023, 2:08:54 am UTC) from TR — Scanned from DE

Form analysis
5 forms found in the DOM

GET https://www.welivesecurity.com/

<form action="https://www.welivesecurity.com/" class="basic-searchform imc dark col-md-12 col-sm-10 col-xs-12" method="get" role="search">
  <div class="search-input clearfix">
    <input type="text" name="s" value="" placeholder="Search..." class="imc">
    <button class="imc">
      <span class="icomoon icon-icon_search imc"></span>
    </button>
  </div>
</form>

GET https://www.welivesecurity.com/

<form action="https://www.welivesecurity.com/" class="basic-searchform imc dark col-md-12 col-sm-10 col-xs-12" method="get" role="search">
  <div class="search-input clearfix">
    <input type="text" name="s" value="" placeholder="Search..." class="imc">
    <button class="imc">
      <span class="icomoon icon-icon_search imc"></span>
    </button>
  </div>
</form>

GET https://www.welivesecurity.com/

<form action="https://www.welivesecurity.com/" class="basic-searchform imc  col-md-12 col-sm-10 col-xs-12" method="get" role="search">
  <div class="search-input clearfix">
    <input type="text" name="s" value="" placeholder="Search..." class="imc">
    <button class="imc">
      <span class="icomoon icon-icon_search imc"></span>
    </button>
  </div>
</form>

POST https://enjoy.eset.com/pub/rf

<form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter" method="post" role="search">
  <div class="search-input clearfix">
    <input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Email...">
    <input type="hidden" name="TOPIC" value="We Live Security Ukraine Newsletter">
    <input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3">
    <input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY">
    <input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0">
    <input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="O">
    <input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form">
    <button class="button-flag"> Submit </button>
  </div>
</form>

POST https://enjoy.eset.com/pub/rf

<form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter" method="post" role="search">
  <div class="search-input clearfix">
    <input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Email...">
    <input type="hidden" name="NEWSLETTER" value="We Live Security">
    <input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3">
    <input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY">
    <input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0">
    <input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="O">
    <input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form">
    <button class=""> Submit </button>
  </div>
</form>

Text Content

In English
* Em Português
* En français
* En Español
* In Deutsch

Menu toggle menu

* All Posts
* Ukraine Crisis – Digital Security Resource Center
* We Live Progress
* Research
* How To
* Videos
* White Papers
* Threat Reports
* Resources
* Our Experts

* Em Português
* En français
* En Español
* In Deutsch

Award-winning news, views, and insight from the ESET security community

EVASIVE PANDA APT GROUP DELIVERS MALWARE VIA UPDATES FOR POPULAR CHINESE
SOFTWARE

ESET Research uncovers a campaign by the APT group known as Evasive Panda
targeting an international NGO in China with malware delivered through updates
of popular Chinese software
Facundo Muñoz
26 Apr 2023 - 11:30AM
Share

ESET Research uncovers a campaign by the APT group known as Evasive Panda
targeting an international NGO in China with malware delivered through updates
of popular Chinese software

ESET researchers have discovered a campaign that we attribute to the APT group
known as Evasive Panda, where update channels of legitimate applications were
mysteriously hijacked to deliver the installer for the MgBot malware, Evasive
Panda’s flagship backdoor.

Key points of the report:

* Users in mainland China were targeted with malware delivered through updates
for software developed by Chinese companies.
* We analyze the competing hypotheses of how the malware could have been
delivered to targeted users.
* With high confidence we attribute this activity to the Evasive Panda APT
group.
* We provide an overview of Evasive Panda’s signature backdoor MgBot and its
toolkit of plugin modules.

EVASIVE PANDA PROFILE

Evasive Panda (also known as BRONZE HIGHLAND and Daggerfly) is a
Chinese-speaking APT group, active since at least 2012. ESET Research has
observed the group conducting cyberespionage against individuals in mainland
China, Hong Kong, Macao, and Nigeria. Government entities were targeted in
China, Macao, and Southeast and East Asian countries, specifically Myanmar, the
Philippines, Taiwan, and Vietnam, while other organizations in China and Hong
Kong were also targeted. According to public reports, the group has also
targeted unknown entities in Hong Kong, India, and Malaysia.

The group implements its own custom malware framework with a modular
architecture that allows its backdoor, known as MgBot, to receive modules to spy
on its victims and enhance its capabilities.

CAMPAIGN OVERVIEW

In January 2022, we discovered that while performing updates, a legitimate
Chinese application had received an installer for the Evasive Panda MgBot
backdoor. During our investigation, we discovered that the malicious activity
went back to 2020.

Chinese users were the focus of this malicious activity, which ESET telemetry
shows starting in 2020 and continuing throughout 2021. The targeted users were
located in the Gansu, Guangdong, and Jiangsu provinces, as shown in Figure 1.

Figure 1. Map of China showing where users were targeted

The majority of the Chinese victims are members of an international NGO that
operates in two of the previously mentioned provinces.

One additional victim was also discovered to be located in the country of
Nigeria.

ATTRIBUTION

Evasive Panda uses a custom backdoor known as MgBot, which was publicly
documented in 2014 and has seen little evolution since then; to the best of our
knowledge, the backdoor has not been used by any other group. In this cluster of
malicious activity, only the MgBot malware was observed deployed on victimized
machines, along with its toolkit of plugins. Therefore, with high confidence we
attribute this activity to Evasive Panda.

TECHNICAL ANALYSIS

During our investigation, we discovered that when performing automated updates,
a legitimate application software component downloaded MgBot backdoor installers
from legitimate URLs and IP addresses.

In Table 1, we provide the URL from where the download originated, according to
ESET telemetry data, including the IP addresses of the servers, as resolved at
the time by the user’s system; therefore, we believe that these IP addresses are
legitimate. According to passive DNS records, all of these IP addresses match
the observed domains, therefore we believe that these IP addresses are
legitimate.

Table 1. Malicious download locations according to ESET telemetry

URLFirst seenDomain IPASNDownloader
http://update.browser.qq[.]com/qmbs/QQ/QQUrlMgr_QQ88_4296.exe2020‑11‑02123.151.72[.]74AS58542
QQUrlMgr.exe
QQ.exe
QQLive.exe
QQCall<XX>.exe
183.232.96[.]107AS56040 61.129.7[.]35AS4811

HYPOTHESES OF COMPROMISE

When we analyzed the likelihood of several methods that could explain how the
attackers managed to deliver malware through legitimate updates, we were left
with two scenarios: supply-chain compromise, and adversary-in-the-middle
attacks. For both scenarios we will also take into account antecedents of
similar attacks by other Chinese-speaking APT groups.

Tencent QQ is a popular Chinese chat and social media service. In the next
sections, we will use the Tencent QQ Windows client software updater,
QQUrlMgr.exe (listed in Table 1), for our examples, given that we have the
highest number of detections from downloads by this particular component.

SUPPLY-CHAIN COMPROMISE SCENARIO

Given the targeted nature of the attacks, we speculate that attackers would have
needed to compromise the QQ update servers to introduce a mechanism to identify
the targeted users to deliver them the malware, filtering out non-targeted users
and delivering them legitimate updates – we registered cases where legitimate
updates were downloaded through the same abused protocols.

While not an Evasive Panda case, a prime example of this type of compromise is
in our report Operation NightScout: Supply‑chain attack targets online gaming in
Asia, where attackers compromised the update servers of a software developer
company based in Hong Kong. According to our telemetry, more than 100,000 users
had the BigNox software installed, but only five had malware delivered through
an update. We suspect that the attackers compromised the BigNox API on the
update server to reply to the updater component on the machines of targeted
users with a URL to a server where the attackers hosted their malware;
non-targeted users were sent the legitimate update URL.

Based on that antecedent, in Figure 2 we illustrate how the supply-chain
compromise scenario could have unfolded according to observations in our
telemetry. Still, we must warn the reader that this is purely speculation and
based on our static analysis, with very limited information, of QQUrlMgr.exe
(SHA-1: DE4CD63FD7B1576E65E79D1D10839D676ED20C2B).

Figure 2. Sequence diagram of the hypothesized supply-chain compromise

It is also worth noting that during our research we were never able to retrieve
a sample of the XML “update” data – neither a legitimate, nor a malicious, XML
sample – from the server contacted by QQUrlMgr.exe. The “update check” URL is
hardcoded, in obfuscated form, in the executable, as shown in Figure 3.

Figure 3. Obfuscated URL in the legitimate QQUrlMgr.exe binary

Deobfuscated, the complete update check URL is:

http://c.gj.qq[.]com/fcgi-bin/busxml?busid=20&supplyid=30088&guid=CQEjCF9zN8Zdyzj5S6F1MC1RGUtw82B7yL+hpt9/gixzExnawV3y20xaEdtektfo&dm=0

The server responds with XML-formatted data encoded with base64 and encrypted
with an implementation of the TEA algorithm using a 128-bit key. This data
contains instructions to download and execute a file, along with other
information. Since the decryption key is also hardcoded, as shown in Figure 4,
it could be known to the attackers.

Figure 4. Hardcoded key in the legitimate QQUrlMgr.exe binary

QQUrlMgr.exe then downloads the indicated file, unencrypted, via HTTP and hashes
its contents with the MD5 algorithm. The result is checked against a hash
present in the update check response XML data, as seen in Figure 5. If the
hashes match, QQUrlMgr.exe executes the downloaded file. This reinforces our
hypothesis that the attackers would need to control the XML server-side
mechanism in the update server to be able to provide the correct MD5 hash of the
malware installer.

Figure 5. QQUrlMgr.exe code that orchestrates the download of the update

We believe that this scenario would explain our observations; however, many
questions are left unanswered. We reached out to Tencent’s Security Response
Center to confirm the legitimacy of the full URL from where the malware was
downloaded; update.browser.qq[.]com is – at the time of writing – unreachable,
but Tencent could not confirm whether the full URL was legitimate.

ADVERSARY-IN-THE-MIDDLE SCENARIO

On 2022-06-02, Kaspersky published a research report about the capabilities of
the Chinese-speaking LuoYu APT group and their WinDealer malware. Similar to
what we observed on this cluster of Evasive Panda victims, their researchers
found that, since 2020, victims of LuoYu had received the WinDealer malware
through updates via the legitimate application qgametool.exe from the PPTV
software, also developed by a Chinese company.

WinDealer has a puzzling capability: instead of carrying a list of established
C&C servers to contact in case of a successful compromise, it generates random
IP addresses in the 13.62.0.0/15 and 111.120.0.0/14 ranges from China Telecom
AS4134. Although a small coincidence, we noticed that the IP addresses of the
targeted Chinese users at the time of receiving the MgBot malware were on the
AS4134 and AS4135 IP addresses ranges.

Possible explanations for what enables these capabilities for its C&C
infrastructure are that LuoYu either control a large amount of devices
associated with the IP addresses on those ranges, or that they are able to do
adversary-in-the-middle (AitM) or attacker-on-the-side interception on the
infrastructure of that particular AS.

AitM styles of interception would be possible if the attackers – either LuoYu or
Evasive Panda – were able to compromise vulnerable devices such as routers or
gateways. As an antecedent, in 2019 ESET researchers discovered that the Chinese
APT group known as BlackTech was performing AitM attacks through compromised
ASUS routers and delivering the Plead malware through ASUS WebStorage software
updates.

With access to ISP backbone infrastructure – through legal or illegal means –
Evasive Panda would be able to intercept and reply to the update requests
performed via HTTP, or even modify packets on the fly. In April 2023, Symantec
researchers reported on Evasive Panda targeting a telecommunications
organization in Africa.

WRAP-UP

Ultimately, without further evidence, we cannot prove or discard one hypothesis
in favor of the other, given that such capabilities are at hand for Chinese APT
groups.

TOOLSET

MGBOT

MgBot is the primary Windows backdoor used by Evasive Panda, which according to
our findings has existed since at least 2012 and, as mentioned in this blog
post, was publicly documented at VirusBulletin in 2014. It was developed in C++
with an object-oriented design, and has the capabilities to communicate via TCP
and UDP, and extend its functionality via plugin modules.

MgBot’s installer and backdoor, and their functionality, have not changed
significantly since it was first documented. Its chain of execution is the same
as described in this report by Malwarebytes from 2020.

MGBOT PLUGINS

MgBot’s modular architecture allows it to extend its functionality by receiving
and deploying modules on the compromised machine. Table 2 lists the known
plugins and their functionality. It is important to note that the plugins don’t
have unique internal identification numbers; therefore we are identifying them
here by their DLL names on disk, which we have never seen change.

Table 2. List of plugin DLL files

Plugin DLL nameOverview Kstrcs.dllKeylogger.
It only actively logs keystrokes when the foreground window belongs to a process
named QQ.exe and the window title matches QQEdit. It's likely target is the
Tencent QQ chat application. sebasek.dllFile stealer.
Has a configuration file that enables the collection of files from different
sources: HDDs, USB thumb drives, and CD-ROMs; as well as criteria based on the
file properties: filename must contain a keyword from a predefined list, file
size must be between a defined a minimum and maximum size. Cbmrpa.dllCaptures
text copied to the clipboard and logs information from the USBSTOR registry key.
pRsm.dllCaptures input and output audio streams. mailLFPassword.dllCredential
stealer.
Steals credentials from Outlook and Foxmail email client software.
agentpwd.dllCredential stealer.
Steals credentials from Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla,
and WinSCP, among others. qmsdp.dllA complex plugin designed to steal the
content from the Tencent QQ database that stores the user’s message history.
This is achieved by in-memory patching of the software component KernelUtils.dll
and dropping a fake userenv.dll DLL. wcdbcrk.dllInformation stealer for Tencent
WeChat. Gmck.dllCookies stealer for Firefox, Chrome, and Edge.

The majority of the plugins are designed to steal information from highly
popular Chinese applications such as QQ, WeChat, QQBrowser, and Foxmail – all of
them applications developed by Tencent.

CONCLUSION

We discovered a campaign that we attribute to the Evasive Panda APT group,
targeting users in mainland China, delivering their MgBot backdoor through
update protocols of applications from well-known Chinese companies. We also
analyzed the plugins of the MgBot backdoor and found the majority of them are
designed to spy on users of Chinese software by stealing credentials and
information.

IOCS

FILES

SHA-1FilenameDetectionDescription
10FB52E4A3D5D6BDA0D22BB7C962BDE95B8DA3DDwcdbcrk.dllWin32/Agent.VFTMgBot information stealer plugin.
E5214AB93B3A1FC3993EF2B4AD04DFCC5400D5E2sebasek.dllWin32/Agent.VFTMgBot file
stealer plugin.
D60EE17418CC4202BB57909BEC69A76BD318EEB4kstrcs.dllWin32/Agent.VFTMgBot keylogger
plugin. 2AC41FFCDE6C8409153DF22872D46CD259766903gmck.dllWin32/Agent.VFTMgBot
cookie stealer plugin.
0781A2B6EB656D110A3A8F60E8BCE9D407E4C4FFqmsdp.dllWin32/Agent.VFTMgBot
information stealer plugin.
9D1ECBBE8637FED0D89FCA1AF35EA821277AD2E8pRsm.dllWin32/Agent.VFTMgBot audio
capture plugin.
22532A8C8594CD8A3294E68CEB56ACCF37A613B3cbmrpa.dllWin32/Agent.ABUJMgBot clipboard text capture plugin.
970BABE49945B98EFADA72B2314B25A008F75843agentpwd.dllWin32/Agent.VFTMgBot
credential stealer plugin.
8A98A023164B50DEC5126EDA270D394E06A144FFmaillfpassword.dllWin32/Agent.VFTMgBot
credential stealer plugin.
65B03630E186D9B6ADC663C313B44CA122CA2079QQUrlMgr_QQ88_4296.exeWin32/Kryptik.HRRIMgBot
installer.

NETWORK

IPProviderFirst seenDetails 122.10.88[.]226AS55933 Cloudie
Limited2020-07-09MgBot C&C server. 122.10.90[.]12AS55933 Cloudie
Limited2020-09-14MgBot C&C server.

MITRE ATT&CK TECHNIQUES

This table was built using version 12 of the MITRE ATT&CK framework.

TacticIDNameDescription Resource DevelopmentT1583.004Acquire Infrastructure:
ServerEvasive Panda acquired servers to be used for C&C infrastructure.
T1587.001Develop Capabilities: MalwareEvasive Panda develops its custom MgBot
backdoor and plugins, including obfuscated loaders. ExecutionT1059.003Command
and Scripting Interpreter: Windows Command ShellMgBot’s installer launches the
service from BAT files with the command net start AppMgmt T1106Native APIMgBot’s
installer uses the CreateProcessInternalW API to execute rundll32.exe to load
the backdoor DLL. T1569.002System Services: Service ExecutionMgBot is executed
as a Windows service. PersistenceT1543.003Create or Modify System Process:
Windows ServiceMgBot replaces the path of the existing Application Management
service DLL with its own. Privilege EscalationT1548.002Abuse Elevation Control
Mechanism: Bypass User Account ControlMgBot performs UAC Bypass. Defense
EvasionT1140Deobfuscate/Decode Files or InformationMgBot's installer decrypts an
embedded CAB file that contains the backdoor DLL. T1112Modify RegistryMgBot
modifies the registry for persistence. T1027Obfuscated Files or
InformationMgBot’s installer contains embedded malware files and encrypted
strings. MgBot contains encrypted strings. MgBot plugins contain embedded DLL
files. T1055.002Process Injection: Portable Executable InjectionMgBot can inject
Portable Executable files to remote processes. Credential
AccessT1555.003Credentials from Password Stores: Credentials from Web
BrowsersMgBot plugin module agentpwd.dll steals credential from web browsers.
T1539Steal Web Session CookieMgBot plugin module Gmck.dll steals cookies.
DiscoveryT1082System Information DiscoveryMgBot collects system information.
T1016System Network Configuration DiscoveryMgBot has the capability to recover
network information. T1083File and Directory DiscoveryMgBot has the capability
of creating file listings. CollectionT1056.001Input Capture: KeyloggingMgBot
plugin module kstrcs.dll is a keylogger. T1560.002Archive Collected Data:
Archive via LibraryMgBot’s plugin module sebasek.dll uses aPLib to compress
files staged for exfiltration. T1123Audio CaptureMgBot’s plugin module pRsm.dll
captures input and output audio streams. T1119Automated CollectionMgBot’s plugin
modules capture data from various sources. T1115Clipboard DataMgBot’s plugin
module Cbmrpa.dll captures text copied to the clipboard. T1025Data from
Removable MediaMgBot’s plugin module sebasek.dll collects files from removable
media. T1074.001Data Staged: Local Data StagingMgBot’s plugin modules stage data
locally on disk. T1114.001Email Collection: Local Email CollectionMgBot’s plugin
modules are designed to steal credentials and email information from several
applications. T1113Screen CaptureMgBot can capture screenshots. Command and
ControlT1095Non-Application Layer ProtocolMgBot communicates with its C&C
through TCP and UDP protocols. ExfiltrationT1041Exfiltration Over C2
ChannelMgBot performs exfiltration of collected data via C&C.

Facundo Muñoz
26 Apr 2023 - 11:30AM

SIGN UP TO RECEIVE AN EMAIL UPDATE WHENEVER A NEW ARTICLE IS PUBLISHED IN OUR
UKRAINE CRISIS – DIGITAL SECURITY RESOURCE CENTER

Submit

NEWSLETTER

Submit

www.welivesecurity.com Open in urlscan Pro 2a02:26f0:780::210:ca08 Public Scan

Form analysis 5 forms found in the DOM

GET https://www.welivesecurity.com/

GET https://www.welivesecurity.com/

GET https://www.welivesecurity.com/

POST https://enjoy.eset.com/pub/rf

POST https://enjoy.eset.com/pub/rf

Text Content

www.welivesecurity.com Open in urlscan Pro
2a02:26f0:780::210:ca08 Public Scan

Form analysis
5 forms found in the DOM