The Chinese Advanced Persistent Threat (APT) hacking group known as Evasive Panda has been linked to a cyber attack that distributed MsgBot malware via an automatic update for Tencent QQ messaging app.
Evasive Panda has been active since at least 2012 and has targeted organizations and individuals in mainland China, Hong Kong, Macao, Nigeria, and various Southeast and East Asian countries. ESET, a cybersecurity company, discovered the group’s latest campaign in January 2022 and believes that the operation began in 2020.
The victims of the campaign are mostly members of an international non-governmental organization (NGO) located in the provinces of Gansu, Guangdong, and Jiangsu, indicating focused targeting.
The MsgBot malware was delivered to victims as a Tencent QQ software update from legitimate URLs and IP addresses belonging to the software developer, making the attack either a supply chain attack or an adversary-in-the-middle (AITM) attack.
In the former scenario, Evasive Panda would have to breach Tencent QQ’s update distribution servers to trojanize the ‘QQUrlMgr.exe’ file delivered to victims under the guise of a legitimate software update.
The latter scenario would involve the use of random IP addresses to perform AITM or attacker-on-the-side interception. ESET noted similarities with past campaigns that employed the AITM tactic, including one of the LuoYu APT that Kaspersky highlighted in a 2022 report.
The MgBot malware, delivered in this campaign, is a C++ Windows backdoor that Evasive Panda has been using since 2012. The malware’s installer, backdoor, functionality, and execution chain have remained largely unchanged since 2020.
MgBot uses a modular architecture to extend its functionality, receiving DLL plugins from the C2 that perform specialized functions, such as keylogging on specific Tencent apps, stealing files from hard drives and USB pen drives, capturing text copied to the clipboard, capturing input and output audio streams, stealing credentials from Outlook and Foxmail email clients, and stealing cookies from Firefox, Chrome, and Edge.
This attack demonstrates Evasive Panda’s high-level capabilities and the need for greater vigilance from potential targets. The attack targeted Chinese users, primarily focusing on stealing data from Chinese apps, which indicates a broader geopolitical context to the attack.
ESET could not find evidence pointing to a clear direction, and many questions remain unanswered, highlighting the importance of further investigation and attribution.
