Evasive Panda has been using MgBot to orchestrate supply chain and watering hole attacks against Tibetan users, as reported by researchers in public reports over the last two years. Additionally, it was discovered that MgBot was used to target a foreign non-governmental organization (NGO) in Mainland China through update channels for programs that were deemed genuine, such as Tencent QQ.

Although there were rumors that the trojanized updates were caused by an adversary-in-the-middle (AitM) attack or a supply chain penetration of Tencent QQ's update servers, the investigation verifies that the latter was caused by an ISP-level DNS poisoning assault. The threat actor is allegedly changing DNS query results for particular domains associated with automated software update systems. This attack targets applications that either employ insecure update protocols, including HTTP, or neglect to perform sufficient integrity checks on the installers.

It was found that Evasive Panda manipulated DNS requests to infect legitimate hostnames serving as second-stage command-and-control (C2) servers with malware utilizing an HTTP automatic updating mechanism. The attack chains are quite simple: depending on the operating system being utilized, the malicious update methods are exploited to distribute either MgBot or MACMA. Researchers said that to stop the DNS poisoning attack, it informed the relevant ISP.

In one case, the victim's macOS device's Secure Preferences file was modified to enable a Google Chrome extension. Although the browser add-on claims to be a tool that allows pages to load in Internet Explorer compatibility mode, its primary goal is to steal browser cookies and transfer them to an adversarial Google Drive account. The attacker can utilize this method to manipulate automated update techniques that employ HTTP rather than HTTPS by intercepting DNS requests and tainting them with malicious IP addresses.

Impact

• Sensitive Data Theft
• Unauthorized Access
• Cyber Espionage

Indicators of Compromise

IP

• 103.96.130.107

MD5

• 4c8a326899272d2fe30e818181f6f67f

SHA-256

• b77bcfb036f5a6a3973fdd68f40c0bd0b19af1246688ca4b1f9db02f2055ef9d

SHA-1

• e8e4a3fa69173a46cdb60c53877c7ad557accc51

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Ensure that all software, particularly those from third-party vendors, are obtained from trusted sources and that updates are obtained from the vendor’s official website or app store.
• Conduct regular security assessments and audits of all software, especially those that handle sensitive data, to detect any suspicious activities.
• Implement multi-factor authentication and strong password policies to prevent unauthorized access to sensitive systems and data.
• Train employees on best practices for identifying and reporting suspicious activities, such as phishing emails or unusual network traffic.
• Deploy endpoint protection solutions with advanced threat detection capabilities to identify and block any malicious activities.
• Implement network segmentation and access controls to limit the spread of malware in case of a successful attack.
• Monitor network traffic and system logs to detect any unusual or suspicious activities, such as unauthorized file transfers or unusual process execution.
• Develop an incident response plan that outlines the steps to be taken in case of a successful attack, including how to isolate and contain the affected systems and how to communicate with stakeholders, such as customers and regulatory bodies.