China's 'Evasive Panda' Hijacks Software Updates to Deliver Custom Backdoor

A Chinese advanced persistent threat (APT) group is hijacking legitimate application update channels for software developed by Chinese companies in order to deliver custom malware.

The attacks have targeted individuals in China and Nigeria in a campaign that's been ongoing for two years. The malicious activity is aimed at stealing credentials and data for cyber-espionage purposes, researchers from Eset have found.

In January, researchers observed the Evasive Panda APT delivering the installer for the group's flagship backdoor, MgBot malware, to a Chinese nongovernmental organization, they revealed in a blog post published April 26.

"During our investigation, we discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses," Facundo Munoz, an Eset security intelligence analyst and malware researcher, wrote in the post.

The malicious activity has targeted mainly Chinese users in the Gansu, Guangdong, and Jiangsu provinces, as well as one user in Nigeria.

As researchers have never observed any other threat actors using the MgBot backdoor — a modular malware that allows Evasive Panda to spy on victims and enhance its capabilities on the go — it was fairly easy to attribute the activity to the Chinese APT, they said.

How Did They Pull It Off?

Though it's not unprecedented, it is unusual and fairly complex to deliver malware through a legitimate software update channel, the researchers said. At this time, they remain inconclusive about how Evasive Panda did it.

However, they narrowed down their speculation to two possible scenarios: supply chain compromise or an adversary-in-the-middle (AitM) attack, the researchers said. They analyzed both types of activity from the Evasive Panda campaign, and similarities to other attacks to come to these conclusions, the researchers said.

For the supply chain scenario, Eset analyzed one of the updaters for which they detected the highest number of malware samples, the updater for a popular Chinese chat and social media service, the Tencent QQ Windows client.

"Given the targeted nature of the attacks, we speculate that attackers would have needed to compromise the QQ update servers to introduce a mechanism to identify the targeted users to deliver them the malware, filtering out non-targeted users and delivering them legitimate updates," Munoz wrote. Indeed, the researchers observed legitimate updates were downloaded through the same abused protocols.

The researchers compared this possible scenario to a previous case they examined in which attackers compromised the update servers of a software development company based in Hong Kong to deliver both legitimate updates of software called BigNox as well as malicious payloads, to specific users. A similar scenario may have occurred in the case of Evasive Panda's delivery of MgBot, the researchers said.

For the AitM scenarios, researchers cited a report by Kaspersky published last June about the capabilities of the Chinese-speaking LuoYu APT group, which delivered its WinDealer malware through legitimate app updates.

In that case, the researchers realized that instead of carrying a list of established command-and-control servers to contact in case of a successful compromise, the attack generated random IP addresses in the 13.62.0.0/15 and 111.120.0.0/14 ranges from China Telecom AS4134.

There was a similar, albeit small, coincidence in the recent activity by Evasive Panda that researchers observed, they said, with "the IP addresses of the targeted Chinese users at the time of receiving the MgBot malware were on the AS4134 and AS4135 IP addresses ranges," Munoz wrote.

These similar activities could signify that both LuoYo and Evasive Panda either controlled a large number of devices associated with the IP addresses on those ranges or that they are AitM or attacker-on-the-side interception on the infrastructure of that particular AS, the researchers surmised. Indeed, previous research by Symantec reported on Evasive Panda targeting an African telecommunications provider.

"With access to ISP backbone infrastructure — through legal or illegal means — Evasive Panda would be able to intercept and reply to the update requests performed via HTTP, or even modify packets on the fly," Munoz wrote.

The APT and Its Malware

Evasive Panda — aka Bronze Highland and Daggerfly — has been active since 2012, and primarily conducts cyber espionage against individuals in mainland China, Hong Kong, Macao, and Nigeria, as well as specific organizations in China and Hong Kong.

The group also has targeted government entities in China, Macao, and Southeast and East Asian countries — specifically Myanmar, the Philippines, Taiwan, and Vietnam. According to public reports, the group has also targeted unknown entities in Hong Kong, India, and Malaysia.

Evasive Panda primarily uses the modular C++-based Windows backdoor MgBot — which does not appear to have been updated since it was first publicly documented in 2014 — to spy on victims. The malware's modules can be updated by Evasive Panda during attacks to enhance the attacker's capabilities, according to Eset.

Because the attacks appear so legitimate to end users, they are difficult for organizations to detect and mitigate, security researchers said. To help potential victims avoid compromise, Eset researchers included a list of indicators of compromise (IoCs) in their post.

When reporting on the LuoYo attack, Kaspersky researchers advised that the only way for potential targets to defend against such attacks is to remain extremely vigilant and put in place robust security procedures that involve regular antivirus scans, analysis of outbound network traffic, and extensive logging to detect anomalies.