A China-linked superior persistent menace (APT) group has been attributed to a highly-targeted cyber espionage marketing campaign by which the adversary poisoned Area Title System (DNS) requests to ship its signature MgBot backdoor in assaults focusing on victims in Türkiye, China, and India.
The exercise, Kaspersky stated, was noticed between November 2022 and November 2024. It has been linked to a hacking group referred to as Evasive Panda, which is tracked as Bronze Highland, Daggerfly, and StormBamboo. It is assessed to be energetic since not less than 2012.
“The group primarily carried out adversary-in-the-middle (AitM) assaults on particular victims,” Kaspersky researcher Fatih Şensoy stated in a deep-dive evaluation. “These included methods resembling dropping loaders into particular places and storing encrypted elements of the malware on attacker-controlled servers, which had been resolved as a response to particular web site DNS requests.”
This isn’t the primary time Evasive Panda’s DNS poisoning capabilities have come to the fore. Way back to April 2023, ESET famous that the menace actor might have both carried out a provide chain compromise or an AitM assault to serve trojanized variations of official functions like Tencent QQ in an assault focusing on a global non-governmental group (NGO) in Mainland China.
In August 2024, a report from Volexity revealed how the menace actor compromised an unnamed web service supplier (ISP) via a DNS poisoning assault to push malicious software program updates to targets of curiosity.
Evasive Panda can also be one of many many China-aligned menace exercise clusters which have relied on AitM poisoning for malware distribution. In an evaluation final month, ESET stated it is monitoring 10 energetic teams from China which have leveraged the method for preliminary entry or lateral motion, together with LuoYu, BlackTech, TheWizards APT, Blackwood, PlushDaemon, and FontGoblin.
Within the assaults documented by Kaspersky, the menace actor has been discovered to utilize lures that masquerade as updates for third-party software program, resembling SohuVA, a video streaming service from the Chinese language web firm Sohu. The malicious replace is delivered from the area “p2p.hd.sohu.com[.]cn,” seemingly indicating a DNS poisoning assault.
“There’s a chance that the attackers used a DNS poisoning assault to change the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP handle, whereas the real replace module of the SohuVA software tries to replace its binaries positioned in appdataroamingshapp7.0.18.0package,” Şensoy defined.
The Russian cybersecurity vendor stated it additionally recognized different campaigns by which Evasive Panda utilized a faux updater for Baidu’s iQIYI Video, in addition to IObit Sensible Defrag and Tencent QQ.
The assault paves the best way for the deployment of an preliminary loader that is chargeable for launching shellcode that, in flip, fetches an encrypted second-stage shellcode within the type of a PNG picture file, once more via DNS poisoning from the official web site dictionary[.]com.
Evasive Panda is alleged to have manipulated the IP handle related to dictionary[.]com, inflicting sufferer programs to resolve the web site to an attacker-controlled IP handle primarily based on their geographical location and web service supplier.
It is at present not identified how the menace actor is poisoning DNS responses. However two potential situations are suspected: both the ISPs utilized by the victims had been selectively focused and compromised to put in some type of a community implant on edge units, or a router or firewall utilized by the victims was hacked for this goal.
The HTTP request to acquire the second-stage shellcode additionally accommodates the present Home windows model quantity. That is seemingly an try on the a part of the attackers to focus on particular working system variations and adapt their technique primarily based on the working system used. It is value noting that Evasive Panda has beforehand leveraged watering gap assaults to distribute an Apple macOS malware codenamed MACMA.
The precise nature of the second-stage payload is unclear, however Kaspersky’s evaluation exhibits that the first-stage shellcode decrypts and runs the retrieved payload. It is assessed that the attackers generate a novel encrypted second shellcode file for every sufferer as a solution to bypass detection.
A vital facet of the operations is the usage of a secondary loader (“libpython2.4.dll”) that depends on a renamed, older model of “python.exe” to be sideloaded. As soon as launched, it downloads and decrypts the next-stage malware by studying the contents of a file named “C:ProgramDataMicrosofteHomeperf.dat.” This file accommodates the decrypted payload downloaded from the earlier step.
“It seems that the attacker used a fancy course of to acquire this stage from a useful resource, the place it was initially XOR-encrypted,” Kaspersky stated. “The attacker then decrypted this stage with XOR and subsequently encrypted and saved it to perf.dat utilizing a customized hybrid of Microsoft’s Information Safety Software Programming Interface (DPAPI) and the RC5 algorithm.”
Using a customized encryption algorithm is seen as an try and complicate evaluation by making certain that the encrypted knowledge can solely be decoded on the particular system the place the encryption was initially carried out and block any efforts to intercept and analyze the malicious payload.
The decrypted code is an MgBot variant that is injected by the secondary loader right into a official “svchost.exe” course of. A modular implant, MgBot, is able to harvesting information, logging keystrokes, gathering clipboard knowledge, recording audio streams, and stealing credentials from net browsers. This permits the malware to keep up a stealthy presence in compromised programs for lengthy durations of time.
“The Evasive Panda menace actor has as soon as once more showcased its superior capabilities, evading safety measures with new methods and instruments whereas sustaining long-term persistence in focused programs,” Kaspersky stated.
