Rewterz Threat Alert – Evasive Panda APT Delivers MgBot Malware To Target International NGOs In Mainland China – Active IOCs

Severity

High

Analysis Summary

Evasive Panda is a well-known Chinese APT group that has been active for several years and has previously targeted organizations and individuals in various countries. Their latest campaign, as reported by researchers, involved distributing malware through an automatic update for the Tencent QQ messaging app.

The campaign’s victims are members of an international NGO and located in specific provinces of China, suggesting that the attack was targeted and focused. This is a common tactic used by APT groups, where they conduct extensive reconnaissance on their targets before launching an attack.

According to the researchers, the attack chains are made to disseminate a Windows installer for the MgBot malware. The activity started in November 2020 and ran all through 2021. The delivery of the MsgBot malware payload through a fake software update suggests that the attackers had access to Tencent QQ’s update distribution servers or were able to intercept legitimate traffic between the software developer and its users. The analysis was left to two scenarios: supply-chain compromise and adversary-in-the-middle attacks.

The first scenario, a supply chain attack involves attackers compromising a third-party vendor that has access to the target’s system or network. In this case, the attackers could have compromised Tencent QQ’s update distribution servers to deliver the malicious payload (‘QQUrlMgr.exe’) under the guise of a legitimate update.

“It is also worth noting that during our research we were never able to retrieve a sample of the XML “update” data – neither a legitimate, nor a malicious, XML sample – from the server contacted by QQUrlMgr.exe. The “update check” URL is hardcoded, in obfuscated form, in the executable.” they added.

In an AiTM scenario, the similarities between the current Evasive Panda campaign and the past LuoYu APT campaign identified by Kaspersky in 2022 suggest that the two attacks may be linked. In the earlier campaign, the attackers employed WinDealer malware that generated random IP addresses from China Telecom to perform AITM interception.

In the current Evasive Panda campaign, ESET noted that the malicious MsgBot malware payload was delivered to victims using legitimate URLs and IP addresses belonging to Tencent QQ’s software developer, which could indicate AITM interception. The IP addresses used in the attack were found to be on the same ranges as those used in the earlier LuoYu APT campaign.

These similarities suggest that the same group or individuals may be behind both attacks. It is possible that the attackers behind the Evasive Panda campaign may have adapted their tactics to incorporate the AITM interception technique used by the LuoYu APT group.

“With access to ISP backbone infrastructure – through legal or illegal means – Evasive Panda would be able to intercept and reply to the update requests performed via HTTP, or even modify packets on the fly. In April 2023, researchers reported on Evasive Panda targeting a telecommunications organization in Africa.”

In conclusion, the Evasive Panda APT group has advanced technical capabilities and is using sophisticated attack methods to target specific regions and applications. It is crucial for potential targets to be aware of these threats and take appropriate measures to enhance their security posture, such as implementing multi-factor authentication, conducting regular security audits, and staying up-to-date with the latest security patches and updates. Additionally, it is recommended to monitor and restrict access to sensitive data, as well as to limit the use of third-party software and services, especially those with unclear or questionable security practices.

Impact

• Sensitive Information Theft
• Credential Theft
• Keystrokes Logging
• Clipboard Data Gathering 

Indicators of Compromise

MD5

• f553ea019b79742eabcbacd387231623
• ae5d92ef69074050a822f6669fe267b6
• 07df8d223f8a370cd703d177d7e93a36
• 889a7ae42fb44390ab99af071dd3d6b0

SHA-256

• 174a62201c7e2af67b7ad37bf7935f064a379f169cf257ca16e912a46ecc9841
• d9eec27bf827669cf13bfdb7be3fdb0fdf05a26d5b74adecaf2f0a48105ae934
• 2c0cfe2f4f1e7539b4700e1205411ec084cbc574f9e4710ecd4733fbf0f8a7dc
• ee6a3331c6b8f3f955def71a6c7c97bf86ddf4ce3e75a63ea4e9cd6e20701024

SHA-1

• 970babe49945b98efada72b2314b25a008f75843
• 22532a8c8594cd8a3294e68ceb56accf37a613b3
• 9d1ecbbe8637fed0d89fca1af35ea821277ad2e8
• 0781a2b6eb656d110a3a8f60e8bce9d407e4c4ff

IP

• 122.10.88.226
• 122.10.90.12

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Ensure that all software, particularly those from third-party vendors, are obtained from trusted sources and that updates are obtained from the vendor’s official website or app store.
• Conduct regular security assessments and audits of all software, especially those that handle sensitive data, to detect any suspicious activities.
• Implement multi-factor authentication and strong password policies to prevent unauthorized access to sensitive systems and data.
• Train employees on best practices for identifying and reporting suspicious activities, such as phishing emails or unusual network traffic.
• Deploy endpoint protection solutions with advanced threat detection capabilities to identify and block any malicious activities.
• Implement network segmentation and access controls to limit the spread of malware in case of a successful attack.
• Monitor network traffic and system logs to detect any unusual or suspicious activities, such as unauthorized file transfers or unusual process execution.
• Develop an incident response plan that outlines the steps to be taken in case of a successful attack, including how to isolate and contain the affected systems and how to communicate with stakeholders, such as customers and regulatory bodies.
• By implementing these measures, organizations can reduce their risk of falling victim to a supply chain attack like the one used by the Evasive Panda APT group. Additionally, it is essential to stay up-to-date with the latest security trends and threat intelligence and to continuously adapt and improve security measures to stay ahead of evolving threats.