Analysis Summary

An improved collection of malware tools has been used by Evasive Panda, a Beijing-affiliated state-sponsored threat group, to attack organizations in Taiwan and a U.S. non-governmental organization (NGO) established in China.

The campaign indicates that internal espionage is also carried out by the group. The MgBot malware was delivered by the attackers in this organization's attack by taking advantage of a flaw in the Apache HTTP server. Evasive Panda, also going by the aliases Bronze Highland and Daggerfly, was previously seen collecting intelligence on telecom service providers in Africa via the MgBot modular malware architecture. It has reportedly been in operation since 2012.

It seems that Evasive Panda can adapt to being discovered by rapidly changing its arsenal to carry out its espionage operations with the least amount of hindrance. The most recent wave of attacks is distinguished by the use of a new malware family based on MgBot as well as an enhanced variant of MACMA, a known Apple macOS malware that was first made public by Google's Threat Analysis Group (TAG) in November 2021. MACMA was disseminated through watering hole attacks that took advantage of vulnerabilities in the Safari browser to target internet users in Hong Kong.

This is the first time the malware strain—which can execute arbitrary commands and gather sensitive information—has been directly connected to a specific threat group. At the very least, the perpetrators behind macOS.MACMA was recycling code from ELF/Android developers, and it's possible that they were also utilizing malware to infect Android phones.

Source code similarities between the malware and MgBot, as well as the fact that MACMA communicates to a command-and-control (C2) server that has also been utilized by a MgBot dropper, are the other reasons for MACMA's connections to Evasive Panda. Nightdoor (also known as NetMM and Suzafk), an implant that leverages the Google Drive API for C2 and has been used in watering hole attacks targeted against Tibetan users since at least September 2023, is another new piece of malware in its arsenal.

Versions of the group's tools that are compatible with the majority of major operating systems can be developed. Evidence of the capacity to trojanize malware families targeting Solaris OS, SMS interception tools, DNS request interception tools, and Android APKs has been seen by researchers. This discovery coincides with China's National Computer Virus Emergency Response Center (CVERC) asserting that Volt Typhoon—which the Five Eyes countries have linked to an espionage cell with a China nexus—was a fabrication of American intelligence agencies and characterizing it as a misinformation campaign.

Impact

• Cyber Espionage
• Command Execution
• Sensitive Data Theft

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Ensure that all software, particularly those from third-party vendors, are obtained from trusted sources and that updates are obtained from the vendor’s official website or app store.
• Conduct regular security assessments and audits of all software, especially those that handle sensitive data, to detect any suspicious activities.
• Implement multi-factor authentication and strong password policies to prevent unauthorized access to sensitive systems and data.
• Train employees on best practices for identifying and reporting suspicious activities, such as phishing emails or unusual network traffic.
• Deploy endpoint protection solutions with advanced threat detection capabilities to identify and block any malicious activities.
• Implement network segmentation and access controls to limit the spread of malware in case of a successful attack.
• Monitor network traffic and system logs to detect any unusual or suspicious activities, such as unauthorized file transfers or unusual process execution.
• Develop an incident response plan that outlines the steps to be taken in case of a successful attack, including how to isolate and contain the affected systems and how to communicate with stakeholders, such as customers and regulatory bodies.