A China-linked superior persistent menace (APT) group has been attributed to a highly-targeted cyber espionage marketing campaign through which the adversary poisoned Area Identify System (DNS) requests to ship its signature MgBot backdoor in assaults focusing on victims in Türkiye, China, and India.
The exercise, Kaspersky stated, was noticed between November 2022 and November 2024. It has been linked to a hacking group referred to as Evasive Panda, which is tracked as Bronze Highland, Daggerfly, and StormBamboo. It is assessed to be energetic since a minimum of 2012.
“The group primarily carried out adversary-in-the-middle (AitM) assaults on particular victims,” Kaspersky researcher Fatih Şensoy stated in a deep-dive evaluation. “These included methods comparable to dropping loaders into particular places and storing encrypted components of the malware on attacker-controlled servers, which have been resolved as a response to particular web site DNS requests.”
This isn’t the primary time Evasive Panda’s DNS poisoning capabilities have come to the fore. Way back to April 2023, ESET famous that the menace actor could have both carried out a provide chain compromise or an AitM assault to serve trojanized variations of legit purposes like Tencent QQ in an assault focusing on a world non-governmental group (NGO) in Mainland China.
In August 2024, a report from Volexity revealed how the menace actor compromised an unnamed web service supplier (ISP) via a DNS poisoning assault to push malicious software program updates to targets of curiosity.
Evasive Panda can be one of many many China-aligned menace exercise clusters which have relied on AitM poisoning for malware distribution. In an evaluation final month, ESET stated it is monitoring 10 energetic teams from China which have leveraged the approach for preliminary entry or lateral motion, together with LuoYu, BlackTech, TheWizards APT, Blackwood, PlushDaemon, and FontGoblin.
Within the assaults documented by Kaspersky, the menace actor has been discovered to utilize lures that masquerade as updates for third-party software program, comparable to SohuVA, a video streaming service from the Chinese language web firm Sohu. The malicious replace is delivered from the area “p2p.hd.sohu.com[.]cn,” possible indicating a DNS poisoning assault.
“There’s a chance that the attackers used a DNS poisoning assault to change the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP deal with, whereas the real replace module of the SohuVA software tries to replace its binaries positioned in appdataroamingshapp7.0.18.0package,” Şensoy defined.
The Russian cybersecurity vendor stated it additionally recognized different campaigns through which Evasive Panda utilized a faux updater for Baidu’s iQIYI Video, in addition to IObit Good Defrag and Tencent QQ.
The assault paves the best way for the deployment of an preliminary loader that is accountable for launching shellcode that, in flip, fetches an encrypted second-stage shellcode within the type of a PNG picture file, once more via DNS poisoning from the legit web site dictionary[.]com.
Evasive Panda is alleged to have manipulated the IP deal with related to dictionary[.]com, inflicting sufferer techniques to resolve the web site to an attacker-controlled IP deal with based mostly on their geographical location and web service supplier.
It is at present not identified how the menace actor is poisoning DNS responses. However two doable situations are suspected: both the ISPs utilized by the victims have been selectively focused and compromised to put in some type of a community implant on edge gadgets, or a router or firewall utilized by the victims was hacked for this goal.
The HTTP request to acquire the second-stage shellcode additionally incorporates the present Home windows model quantity. That is possible an try on the a part of the attackers to focus on particular working system variations and adapt their technique based mostly on the working system used. It is value noting that Evasive Panda has beforehand leveraged watering gap assaults to distribute an Apple macOS malware codenamed MACMA.
The precise nature of the second-stage payload is unclear, however Kaspersky’s evaluation reveals that the first-stage shellcode decrypts and runs the retrieved payload. It is assessed that the attackers generate a singular encrypted second shellcode file for every sufferer as a approach to bypass detection.
A vital facet of the operations is using a secondary loader (“libpython2.4.dll”) that depends on a renamed, older model of “python.exe” to be sideloaded. As soon as launched, it downloads and decrypts the next-stage malware by studying the contents of a file named “C:ProgramDataMicrosofteHomeperf.dat.” This file incorporates the decrypted payload downloaded from the earlier step.
“It seems that the attacker used a posh course of to acquire this stage from a useful resource, the place it was initially XOR-encrypted,” Kaspersky stated. “The attacker then decrypted this stage with XOR and subsequently encrypted and saved it to perf.dat utilizing a customized hybrid of Microsoft’s Information Safety Software Programming Interface (DPAPI) and the RC5 algorithm.”
Using a customized encryption algorithm is seen as an try to complicate evaluation by making certain that the encrypted knowledge can solely be decoded on the particular system the place the encryption was initially carried out and block any efforts to intercept and analyze the malicious payload.
The decrypted code is an MgBot variant that is injected by the secondary loader right into a legit “svchost.exe” course of. A modular implant, MgBot, is able to harvesting recordsdata, logging keystrokes, gathering clipboard knowledge, recording audio streams, and stealing credentials from internet browsers. This allows the malware to take care of a stealthy presence in compromised techniques for lengthy durations of time.
“The Evasive Panda menace actor has as soon as once more showcased its superior capabilities, evading safety measures with new methods and instruments whereas sustaining long-term persistence in focused techniques,” Kaspersky stated.
