ESET Research uncovers a campaign by the APT group known as Evasive Panda targeting an international NGO in China with malware delivered through updates of popular Chinese software
ESET researchers have discovered a campaign that we attribute to the APT group known as Evasive Panda, where update channels of legitimate applications were mysteriously hijacked to deliver the installer for the MgBot malware, Evasive Panda’s flagship backdoor.
Evasive Panda profile
Evasive Panda (also known as BRONZE HIGHLAND and Daggerfly) is a Chinese-speaking APT group, active since at least 2012. ESET Research has observed the group conducting cyberespionage against individuals in mainland China, Hong Kong, Macao, and Nigeria. Government entities were targeted in China, Macao, and Southeast and East Asian countries, specifically Myanmar, the Philippines, Taiwan, and Vietnam, while other organizations in China and Hong Kong were also targeted. According to public reports, the group has also targeted unknown entities in Hong Kong, India, and Malaysia.
The group implements its own custom malware framework with a modular architecture that allows its backdoor, known as MgBot, to receive modules to spy on its victims and enhance its capabilities.
In January 2022, we discovered that while performing updates, a legitimate Chinese application had received an installer for the Evasive Panda MgBot backdoor. During our investigation, we discovered that the malicious activity went back to 2020.
Chinese users were the focus of this malicious activity, which ESET telemetry shows starting in 2020 and continuing throughout 2021. The targeted users were located in the Gansu, Guangdong, and Jiangsu provinces, as shown in Figure 1.
The majority of the Chinese victims are members of an international NGO that operates in two of the previously mentioned provinces.
One additional victim was also discovered to be located in the country of Nigeria.
Evasive Panda uses a custom backdoor known as MgBot, which was publicly documented in 2014 and has seen little evolution since then; to the best of our knowledge, the backdoor has not been used by any other group. In this cluster of malicious activity, only the MgBot malware was observed deployed on victimized machines, along with its toolkit of plugins. Therefore, with high confidence we attribute this activity to Evasive Panda.
During our investigation, we discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses.
In Table 1, we provide the URL from where the download originated, according to ESET telemetry data, including the IP addresses of the servers, as resolved at the time by the user’s system; therefore, we believe that these IP addresses are legitimate. According to passive DNS records, all of these IP addresses match the observed domains, therefore we believe that these IP addresses are legitimate.
Table 1. Malicious download locations according to ESET telemetry
URLFirst seenDomain IPASNDownloader
Hypotheses of compromise
When we analyzed the likelihood of several methods that could explain how the attackers managed to deliver malware through legitimate updates, we were left with two scenarios: supply-chain compromise, and adversary-in-the-middle attacks. For both scenarios we will also take into account antecedents of similar attacks by other Chinese-speaking APT groups.
Tencent QQ is a popular Chinese chat and social media service. In the next sections, we will use the Tencent QQ Windows client software updater, QQUrlMgr.exe (listed in Table 1), for our examples, given that we have the highest number of detections from downloads by this particular component.
Supply-chain compromise scenario
Given the targeted nature of the attacks, we speculate that attackers would have needed to compromise the QQ update servers to introduce a mechanism to identify the targeted users to deliver them the malware, filtering out non-targeted users and delivering them legitimate updates – we registered cases where legitimate updates were downloaded through the same abused protocols.
While not an Evasive Panda case, a prime example of this type of compromise is in our report Operation NightScout: Supply‑chain attack targets online gaming in Asia, where attackers compromised the update servers of a software developer company based in Hong Kong. According to our telemetry, more than 100,000 users had the BigNox software installed, but only five had malware delivered through an update. We suspect that the attackers compromised the BigNox API on the update server to reply to the updater component on the machines of targeted users with a URL to a server where the attackers hosted their malware; non-targeted users were sent the legitimate update URL.
Based on that antecedent, in Figure 2 we illustrate how the supply-chain compromise scenario could have unfolded according to observations in our telemetry. Still, we must warn the reader that this is purely speculation and based on our static analysis, with very limited information, of QQUrlMgr.exe (SHA-1: DE4CD63FD7B1576E65E79D1D10839D676ED20C2B).
It is also worth noting that during our research we were never able to retrieve a sample of the XML “update” data – neither a legitimate, nor a malicious, XML sample – from the server contacted by QQUrlMgr.exe. The “update check” URL is hardcoded, in obfuscated form, in the executable, as shown in Figure 3.
Deobfuscated, the complete update check URL is:
The server responds with XML-formatted data encoded with base64 and encrypted with an implementation of the TEA algorithm using a 128-bit key. This data contains instructions to download and execute a file, along with other information. Since the decryption key is also hardcoded, as shown in Figure 4, it could be known to the attackers.
QQUrlMgr.exe then downloads the indicated file, unencrypted, via HTTP and hashes its contents with the MD5 algorithm. The result is checked against a hash present in the update check response XML data, as seen in Figure 5. If the hashes match, QQUrlMgr.exe executes the downloaded file. This reinforces our hypothesis that the attackers would need to control the XML server-side mechanism in the update server to be able to provide the correct MD5 hash of the malware installer.
We believe that this scenario would explain our observations; however, many questions are left unanswered. We reached out to Tencent’s Security Response Center to confirm the legitimacy of the full URL from where the malware was downloaded; update.browser.qq[.]com is – at the time of writing – unreachable, but Tencent could not confirm whether the full URL was legitimate.
On 2022-06-02, Kaspersky published a research report about the capabilities of the Chinese-speaking LuoYu APT group and their WinDealer malware. Similar to what we observed on this cluster of Evasive Panda victims, their researchers found that, since 2020, victims of LuoYu had received the WinDealer malware through updates via the legitimate application qgametool.exe from the PPTV software, also developed by a Chinese company.
WinDealer has a puzzling capability: instead of carrying a list of established C&C servers to contact in case of a successful compromise, it generates random IP addresses in the 18.104.22.168/15 and 22.214.171.124/14 ranges from China Telecom AS4134. Although a small coincidence, we noticed that the IP addresses of the targeted Chinese users at the time of receiving the MgBot malware were on the AS4134 and AS4135 IP addresses ranges.
Possible explanations for what enables these capabilities for its C&C infrastructure are that LuoYu either control a large amount of devices associated with the IP addresses on those ranges, or that they are able to do adversary-in-the-middle (AitM) or attacker-on-the-side interception on the infrastructure of that particular AS.
AitM styles of interception would be possible if the attackers – either LuoYu or Evasive Panda – were able to compromise vulnerable devices such as routers or gateways. As an antecedent, in 2019 ESET researchers discovered that the Chinese APT group known as BlackTech was performing AitM attacks through compromised ASUS routers and delivering the Plead malware through ASUS WebStorage software updates.
With access to ISP backbone infrastructure – through legal or illegal means – Evasive Panda would be able to intercept and reply to the update requests performed via HTTP, or even modify packets on the fly. In April 2023, Symantec researchers reported on Evasive Panda targeting a telecommunications organization in Africa.
Ultimately, without further evidence, we cannot prove or discard one hypothesis in favor of the other, given that such capabilities are at hand for Chinese APT groups.
MgBot is the primary Windows backdoor used by Evasive Panda, which according to our findings has existed since at least 2012 and, as mentioned in this blog post, was publicly documented at VirusBulletin in 2014. It was developed in C++ with an object-oriented design, and has the capabilities to communicate via TCP and UDP, and extend its functionality via plugin modules.
MgBot’s installer and backdoor, and their functionality, have not changed significantly since it was first documented. Its chain of execution is the same as described in this report by Malwarebytes from 2020.
MgBot’s modular architecture allows it to extend its functionality by receiving and deploying modules on the compromised machine. Table 2 lists the known plugins and their functionality. It is important to note that the plugins don’t have unique internal identification numbers; therefore we are identifying them here by their DLL names on disk, which we have never seen change.
Table 2. List of plugin DLL files
Plugin DLL nameOverview
Kstrcs.dllKeylogger. It only actively logs keystrokes when the foreground window belongs to a process named QQ.exe and the window title matches QQEdit. It’s likely target is the Tencent QQ chat application.
sebasek.dllFile stealer. Has a configuration file that enables the collection of files from different sources: HDDs, USB thumb drives, and CD-ROMs; as well as criteria based on the file properties: filename must contain a keyword from a predefined list, file size must be between a defined a minimum and maximum size.
Cbmrpa.dllCaptures text copied to the clipboard and logs information from the USBSTOR registry key.
pRsm.dllCaptures input and output audio streams.
mailLFPassword.dllCredential stealer. Steals credentials from Outlook and Foxmail email client software.
agentpwd.dllCredential stealer. Steals credentials from Chrome, Opera, Firefox, Foxmail, QQBrowser, FileZilla, and WinSCP, among others.
qmsdp.dllA complex plugin designed to steal the content from the Tencent QQ database that stores the user’s message history. This is achieved by in-memory patching of the software component KernelUtils.dll and dropping a fake userenv.dll DLL.
wcdbcrk.dllInformation stealer for Tencent WeChat.
Gmck.dllCookies stealer for Firefox, Chrome, and Edge.
The majority of the plugins are designed to steal information from highly popular Chinese applications such as QQ, WeChat, QQBrowser, and Foxmail – all of them applications developed by Tencent.
We discovered a campaign that we attribute to the Evasive Panda APT group, targeting users in mainland China, delivering their MgBot backdoor through update protocols of applications from well-known Chinese companies. We also analyzed the plugins of the MgBot backdoor and found the majority of them are designed to spy on users of Chinese software by stealing credentials and information.
10FB52E4A3D5D6BDA0D22BB7C962BDE95B8DA3DDwcdbcrk.dllWin32/Agent.VFTMgBot information stealer plugin.
E5214AB93B3A1FC3993EF2B4AD04DFCC5400D5E2sebasek.dllWin32/Agent.VFTMgBot file stealer plugin.
D60EE17418CC4202BB57909BEC69A76BD318EEB4kstrcs.dllWin32/Agent.VFTMgBot keylogger plugin.
2AC41FFCDE6C8409153DF22872D46CD259766903gmck.dllWin32/Agent.VFTMgBot cookie stealer plugin.
0781A2B6EB656D110A3A8F60E8BCE9D407E4C4FFqmsdp.dllWin32/Agent.VFTMgBot information stealer plugin.
9D1ECBBE8637FED0D89FCA1AF35EA821277AD2E8pRsm.dllWin32/Agent.VFTMgBot audio capture plugin.
22532A8C8594CD8A3294E68CEB56ACCF37A613B3cbmrpa.dllWin32/Agent.ABUJMgBot clipboard text capture plugin.
970BABE49945B98EFADA72B2314B25A008F75843agentpwd.dllWin32/Agent.VFTMgBot credential stealer plugin.
8A98A023164B50DEC5126EDA270D394E06A144FFmaillfpassword.dllWin32/Agent.VFTMgBot credential stealer plugin.
122.10.88[.]226AS55933 Cloudie Limited2020-07-09MgBot C&C server.
122.10.90[.]12AS55933 Cloudie Limited2020-09-14MgBot C&C server.
MITRE ATT&CK techniques
This table was built using version 12 of the MITRE ATT&CK framework.
Resource DevelopmentT1583.004Acquire Infrastructure: ServerEvasive Panda acquired servers to be used for C&C infrastructure.
T1587.001Develop Capabilities: MalwareEvasive Panda develops its custom MgBot backdoor and plugins, including obfuscated loaders.
ExecutionT1059.003Command and Scripting Interpreter: Windows Command ShellMgBot’s installer launches the service from BAT files with the command net start AppMgmt
T1106Native APIMgBot’s installer uses the CreateProcessInternalW API to execute rundll32.exe to load the backdoor DLL.
T1569.002System Services: Service ExecutionMgBot is executed as a Windows service.
PersistenceT1543.003Create or Modify System Process: Windows ServiceMgBot replaces the path of the existing Application Management service DLL with its own.
Privilege EscalationT1548.002Abuse Elevation Control Mechanism: Bypass User Account ControlMgBot performs UAC Bypass.
Defense EvasionT1140Deobfuscate/Decode Files or InformationMgBot’s installer decrypts an embedded CAB file that contains the backdoor DLL.
T1112Modify RegistryMgBot modifies the registry for persistence.
T1027Obfuscated Files or InformationMgBot’s installer contains embedded malware files and encrypted strings. MgBot contains encrypted strings. MgBot plugins contain embedded DLL files.
T1055.002Process Injection: Portable Executable InjectionMgBot can inject Portable Executable files to remote processes.
Credential AccessT1555.003Credentials from Password Stores: Credentials from Web BrowsersMgBot plugin module agentpwd.dll steals credential from web browsers.
T1539Steal Web Session CookieMgBot plugin module Gmck.dll steals cookies.
DiscoveryT1082System Information DiscoveryMgBot collects system information.
T1016System Network Configuration DiscoveryMgBot has the capability to recover network information.
T1083File and Directory DiscoveryMgBot has the capability of creating file listings.
CollectionT1056.001Input Capture: KeyloggingMgBot plugin module kstrcs.dll is a keylogger.
T1560.002Archive Collected Data: Archive via LibraryMgBot’s plugin module sebasek.dll uses aPLib to compress files staged for exfiltration.
T1123Audio CaptureMgBot’s plugin module pRsm.dll captures input and output audio streams.
T1119Automated CollectionMgBot’s plugin modules capture data from various sources.
T1115Clipboard DataMgBot’s plugin module Cbmrpa.dll captures text copied to the clipboard.
T1025Data from Removable MediaMgBot’s plugin module sebasek.dll collects files from removable media.
T1074.001Data Staged: Local Data StagingMgBot’s plugin modules stage data locally on disk.
T1114.001Email Collection: Local Email CollectionMgBot’s plugin modules are designed to steal credentials and email information from several applications.
T1113Screen CaptureMgBot can capture screenshots.
Command and ControlT1095Non-Application Layer ProtocolMgBot communicates with its C&C through TCP and UDP protocols.
ExfiltrationT1041Exfiltration Over C2 ChannelMgBot performs exfiltration of collected data via C&C.