A China-linked Advanced Persistent Threat (APT) group has been implicated in targeted cyber espionage operations. In this campaign, adversaries compromised domain name systems (DNS) and requested delivery of its signature MgBot backdoor in attacks targeting victims in Turkiye, China, and India.
Kaspersky said the activity was observed from November 2022 to November 2024. The activity is said to be associated with a hacking group called Evasive Panda, which is tracked as Bronze Highland, Daggerfly, and StormBamboo. It is believed to have been active since at least 2012.
“The group mainly carried out man-in-the-middle attacks (AitM) against specific victims,” Kaspersky researcher Fatih Shensoy said in a detailed analysis. “These included techniques to drop loaders in specific locations or store encrypted portions of the malware on attacker-controlled servers, which were resolved in response to DNS requests for specific websites.”
This is not the first time that Evasive Panda’s DNS poisoning capabilities have surfaced. ESET noted that in attacks targeting international non-governmental organizations (NGOs) in mainland China dating back to April 2023, threat actors may have conducted supply chain compromises or AITM attacks to provide Trojanized versions of legitimate applications such as Tencent QQ.
In August 2024, a Volexity report revealed how attackers can use DNS poisoning attacks to compromise anonymous internet service providers (ISPs) and push malicious software updates to their intended targets.
Evasive Panda is also one of many China-aligned threat activity clusters that rely on AitM poisoning to distribute malware. In an analysis last month, ESET said it was tracking 10 active Chinese groups that exploited the technology for initial access and lateral movement, including LuoYu, BlackTech, TheWizards APT, Blackwood, PlushDaemon, and Font Goblin.
Attacks documented by Kaspersky Lab have found threat actors using decoys disguised as updates to third-party software, such as SohuVA, the video streaming service from Chinese internet company Sohu. The malicious update is distributed from the domain p2p.hd.sohu.com.[.]cn” message may indicate a DNS poisoning attack.
“An attacker may have used a DNS poisoning attack to modify the DNS response for p2p.hd.sohu.com.”[.]cn to the IP address of the attacker-controlled server, while the legitimate update module of the SohuVA application tries to update the binaries located at appdata\roaming\shapp\7.0.18.0\package,” Şensoy explained.
The Russian cybersecurity vendor said Evasive Panda also identified other campaigns that utilized fake updaters from Baidu’s iQIYI Video, IObit Smart Defrag, and Tencent QQ.
This attack paves the way for the deployment of an initial loader responsible for launching the shellcode, which then obtains the encrypted second stage shellcode in the form of a PNG image file, also through DNS poisoning from a legitimate website dictionary.[.]Com.
Evasive Panda allegedly manipulated IP addresses associated with dictionaries[.]com, the victim’s system resolves websites to IP addresses controlled by the attacker based on their geographic location and internet service provider.
At this time, it is unclear how the attacker is poisoning the DNS responses. However, two scenarios are possible. One is that either the victim’s ISP was selectively targeted and compromised and some kind of network implant was installed on the edge device, or the victim’s router or firewall was hacked for this purpose.
The HTTP request to retrieve the second stage shellcode also includes the current Windows version number. This could be an attempt by the attacker to target specific operating system versions and adapt their strategy based on the operating system being used. It is worth noting that Evasive Panda has previously used watering hole attacks to distribute Apple macOS malware codenamed MACMA.
The exact nature of the second-stage payload is unknown, but Kaspersky Lab’s analysis indicates that the first-stage shellcode decrypts and executes the retrieved payload. It has been evaluated that attackers generate a second, encrypted shellcode file that is unique for each victim as a way to evade detection.
A key aspect of this operation is the use of a secondary loader (‘libpython2.4.dll’) that relies on a renamed older version of ‘python.exe’ that is sideloaded. Once launched, it reads the contents of a file named “C:\ProgramData\Microsoft\eHome\perf.dat” to download and decrypt the next stage of the malware. This file contains the decrypted payload downloaded in the previous step.
“The attackers appear to have used a complex process to obtain this stage from resources that were initially XOR encrypted,” Kaspersky said. “The attacker then decrypted this stage with XOR, then encrypted it using a custom hybrid of Microsoft’s Data Protection Application Programming Interface (DPAPI) and RC5 algorithm and stored it in perf.dat.”
The use of custom encryption algorithms is considered an attempt to complicate analysis by ensuring that encrypted data can only be decrypted on the specific system on which the encryption was originally performed, blocking any efforts to intercept and analyze the malicious payload.
The decrypted code is a variant of MgBot that is injected into the legitimate “svchost.exe” process by a secondary loader. A modular implant, MgBot can collect files, log keystrokes, collect clipboard data, record audio streams, and steal credentials from web browsers. This allows the malware to remain silently present on a compromised system for an extended period of time.
“The Evasive Panda threat actor has once again demonstrated its advanced capabilities, persisting on target systems for extended periods of time and using new techniques and tools to evade security measures,” Kaspersky said.
Source link
