A China-linked superior persistent risk (APT) group has been attributed to a highly-targeted cyber espionage marketing campaign by which the adversary poisoned Area Identify System (DNS) requests to ship its signature MgBot backdoor in assaults focusing on victims in Türkiye, China, and India.
The exercise, Kaspersky mentioned, was noticed between November 2022 and November 2024. It has been linked to a hacking group known as Evasive Panda, which is tracked as Bronze Highland, Daggerfly, and StormBamboo. It is assessed to be energetic since at the least 2012.
“The group primarily carried out adversary-in-the-middle (AitM) assaults on particular victims,” Kaspersky researcher Fatih Şensoy mentioned in a deep-dive evaluation. “These included methods corresponding to dropping loaders into particular areas and storing encrypted components of the malware on attacker-controlled servers, which have been resolved as a response to particular web site DNS requests.”
This isn’t the primary time Evasive Panda’s DNS poisoning capabilities have come to the fore. Way back to April 2023, ESET famous that the risk actor could have both carried out a provide chain compromise or an AitM assault to serve trojanized variations of legit purposes like Tencent QQ in an assault focusing on a global non-governmental group (NGO) in Mainland China.
In August 2024, a report from Volexity revealed how the risk actor compromised an unnamed web service supplier (ISP) via a DNS poisoning assault to push malicious software program updates to targets of curiosity.
Evasive Panda can also be one of many many China-aligned risk exercise clusters which have relied on AitM poisoning for malware distribution. In an evaluation final month, ESET mentioned it is monitoring 10 energetic teams from China which have leveraged the approach for preliminary entry or lateral motion, together with LuoYu, BlackTech, TheWizards APT, Blackwood, PlushDaemon, and FontGoblin.
Within the assaults documented by Kaspersky, the risk actor has been discovered to utilize lures that masquerade as updates for third-party software program, corresponding to SohuVA, a video streaming service from the Chinese language web firm Sohu. The malicious replace is delivered from the area “p2p.hd.sohu.com[.]cn,” probably indicating a DNS poisoning assault.
“There’s a chance that the attackers used a DNS poisoning assault to change the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP deal with, whereas the real replace module of the SohuVA software tries to replace its binaries situated in appdataroamingshapp7.0.18.0package,” Şensoy defined.
The Russian cybersecurity vendor mentioned it additionally recognized different campaigns by which Evasive Panda utilized a faux updater for Baidu’s iQIYI Video, in addition to IObit Sensible Defrag and Tencent QQ.
The assault paves the way in which for the deployment of an preliminary loader that is answerable for launching shellcode that, in flip, fetches an encrypted second-stage shellcode within the type of a PNG picture file, once more via DNS poisoning from the legit web site dictionary[.]com.
Evasive Panda is claimed to have manipulated the IP deal with related to dictionary[.]com, inflicting sufferer programs to resolve the web site to an attacker-controlled IP deal with based mostly on their geographical location and web service supplier.
It is at present not recognized how the risk actor is poisoning DNS responses. However two doable situations are suspected: both the ISPs utilized by the victims have been selectively focused and compromised to put in some form of a community implant on edge units, or a router or firewall utilized by the victims was hacked for this goal.
The HTTP request to acquire the second-stage shellcode additionally accommodates the present Home windows model quantity. That is probably an try on the a part of the attackers to focus on particular working system variations and adapt their technique based mostly on the working system used. It is value noting that Evasive Panda has beforehand leveraged watering gap assaults to distribute an Apple macOS malware codenamed MACMA.
The precise nature of the second-stage payload is unclear, however Kaspersky’s evaluation reveals that the first-stage shellcode decrypts and runs the retrieved payload. It is assessed that the attackers generate a singular encrypted second shellcode file for every sufferer as a method to bypass detection.
A vital side of the operations is using a secondary loader (“libpython2.4.dll”) that depends on a renamed, older model of “python.exe” to be sideloaded. As soon as launched, it downloads and decrypts the next-stage malware by studying the contents of a file named “C:ProgramDataMicrosofteHomeperf.dat.” This file accommodates the decrypted payload downloaded from the earlier step.
“It seems that the attacker used a fancy course of to acquire this stage from a useful resource, the place it was initially XOR-encrypted,” Kaspersky mentioned. “The attacker then decrypted this stage with XOR and subsequently encrypted and saved it to perf.dat utilizing a customized hybrid of Microsoft’s Knowledge Safety Utility Programming Interface (DPAPI) and the RC5 algorithm.”
The usage of a customized encryption algorithm is seen as an try and complicate evaluation by guaranteeing that the encrypted information can solely be decoded on the precise system the place the encryption was initially carried out and block any efforts to intercept and analyze the malicious payload.
The decrypted code is an MgBot variant that is injected by the secondary loader right into a legit “svchost.exe” course of. A modular implant, MgBot, is able to harvesting recordsdata, logging keystrokes, gathering clipboard information, recording audio streams, and stealing credentials from net browsers. This allows the malware to keep up a stealthy presence in compromised programs for lengthy durations of time.
“The Evasive Panda risk actor has as soon as once more showcased its superior capabilities, evading safety measures with new methods and instruments whereas sustaining long-term persistence in focused programs,” Kaspersky mentioned.
