Evasive Panda's Backdoor MgBot Delivered Via Chinese Software Updates

Written by

Security researchers at ESET have observed a new malware campaign by the APT group known as Evasive Panda (as well as Daggerfly and Bronze Highland), relying on a custom backdoor known as MgBot.

“To the best of our knowledge, the backdoor has not been used by any other group,” wrote ESET security intelligence analyst and malware researcher Facundo Muñoz in an advisory published today. “In this cluster of malicious activity, only the MgBot malware was observed deployed on victimized machines, along with its toolkit of plugins.”

The new campaign was first discovered by ESET in January 2022, but further investigation showed malicious activity connected with the threat actor was detected as far back as 2020.

“Chinese users were the focus of this malicious activity, which ESET telemetry shows starting in 2020 and continuing throughout 2021,” Muñoz explained. “The majority of the Chinese victims are members of an international NGO.”

During its investigation, The ESET team discovered that a genuine application software component secretly downloaded MgBot backdoor installers from URLs and IP addresses while updating automatically.

“When we analyzed the likelihood of several methods that could explain how the attackers managed to deliver malware through legitimate updates, we were left with two scenarios: supply-chain compromise and adversary-in-the-middle attacks,” Muñoz wrote. 

As for MgBot, the ESET security expert said it is the primary Windows backdoor used by Evasive Panda.

“It was developed in C++ with an object-oriented design and has the capabilities to communicate via TCP and UDP and extend its functionality via plugin modules.”

The list of modules (DLL files) includes the Kstrcs keylogger, the sebasek file stealer, the Cbmrpa clipboard logger, the pRsm audio stream capturer, the mailLFPassword and agentpwd credential stealers, the qmsdp Tencent QQ database stealer, the wcdbcrk Tencent WeChat information stealer, and the Gmck cookies stealer.

Read more on modular malware here: Modular “AlienFox” Toolkit Used to Steal Cloud Service Credentials

“The majority of the plugins are designed to steal information from highly popular Chinese applications such as QQ, WeChat, QQBrowser, and Foxmail – all of them applications developed by Tencent,” Muñoz added.

More information about each of the modules is available in the advisory. Its publication comes days after Symantec published a separate analysis detailing an Evasive Panda campaign targeting an African telecoms firm.

What’s hot on Infosecurity Magazine?