The Evasive Panda APT group, also referred to as Bronze Highland, Daggerfly, and StormBamboo, has been operating focused campaigns since November 2022, utilizing superior strategies to ship the MgBot malware.
The group employs adversary-in-the-middle assaults mixed with DNS poisoning to compromise particular victims throughout a number of industries. Latest findings present that these operations continued till November 2024, affecting customers in Türkiye, China, and India.
The menace actors disguise their malicious executables as legit software program updates for fashionable functions like SohuVA, iQIYI Video, IObit Good Defrag, and Tencent QQ.
When customers try and obtain updates, the attackers manipulate DNS responses to redirect visitors to servers they management. The malicious bundle, named sohuva_update_10.2.29.1-lup-s-tp.exe, seems as a real replace however delivers malware from an attacker-controlled useful resource.
Securelist researchers recognized that the attackers used a DNS poisoning assault to change the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP handle.
This method intercepts legit replace requests and delivers malicious payloads as an alternative. The group shops encrypted malware components on their servers, that are resolved as responses to particular web site DNS requests, making detection troublesome.
Decryption routine of encrypted strings (Supply – Securelist)
The preliminary loader decrypts its configuration utilizing an XOR-based decryption algorithm. It checks the logged-in username, and if the username is SYSTEM, the malware copies itself with a distinct identify by including the ext.exe suffix.
The loader then decrypts a 9,556-byte shellcode utilizing a single-byte XOR key and shops it within the .information part.
Since this part lacks execute permission, the malware makes use of the VirtualProtect API to vary the part’s permissions, permitting the shellcode to run with out triggering safety alerts.
An infection Mechanism and Hybrid Encryption
The Evasive Panda group makes use of a multi-stage an infection course of with hybrid encryption to make evaluation tougher. The primary-stage shellcode searches for a particular DAT file within the malware’s set up listing.
If discovered, it decrypts the file utilizing the CryptUnprotectData API, which ensures the information can solely be decrypted on the contaminated machine. After decryption, the shellcode deletes the file to take away traces of the assault.
Common overview of storing payload on disk by utilizing hybrid encryption (Supply – Securelist)
If the DAT file isn’t current, the shellcode downloads encrypted information from dictionary[.]com, which seems legit however has been compromised by way of DNS poisoning.
The attackers manipulate the IP handle related to this web site, inflicting sufferer methods to resolve it to completely different attacker-controlled IP addresses primarily based on geographic location.
The malware retrieves a second-stage shellcode disguised as a PNG file. This payload makes use of a customized hybrid encryption combining Microsoft’s Information Safety API and the RC5 algorithm.
The RC5 encryption secret is encrypted utilizing DPAPI and saved within the first 16 bytes of perf.dat, whereas the RC5-encrypted payload follows. To decrypt, the encrypted RC5 secret is first decrypted with DPAPI, then used to decrypt the remaining file contents.
The secondary loader, libpython2.4.dll, depends on a legit signed executable named evteng.exe to realize stealthy loading by way of DLL sideloading.
Decryption of the configuration within the injected MgBot implant (Supply – Securelist)
After decryption, the malware injects the MgBot implant into the legit svchost.exe course of, permitting it to take care of persistence whereas avoiding detection.
The configuration contains marketing campaign names, hardcoded command-and-control server IP addresses, and encryption keys, with some servers remaining energetic for a number of years.
Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most well-liked Supply in Google.
