ButSpeak.com
News which Matters.
The Chinese hacking group Evasive Panda deploys updated Macma and Nightdoor malware variants in cyber espionage attacks targeting organizations in Taiwan and a US NGO in China, exploiting vulnerabilities and sophisticated attack methods.
The notorious Chinese hacking group Evasive Panda, also known as ‘Daggerfly’ or ‘Bronze Highland,’ has been observed deploying updated variants of its signature malware in recent cyber espionage attacks. Symantec’s threat hunting team identified these attacks targeting organizations in Taiwan and an American non-governmental organization (NGO) in China.
In the attack on the NGO, Evasive Panda exploited a vulnerability in an Apache HTTP server to deliver a new version of their modular malware framework, MgBot. This indicates the group’s continuous efforts to refresh their tools and evade detection. Evasive Panda, active since at least 2012, is known for conducting both domestic and international espionage operations.
One of the significant recent developments involves the use of Tencent QQ software updates to infect NGO members in China with the MgBot malware. This breach was achieved through a supply chain or adversary-in-the-middle (AITM) attack, showcasing the group’s sophisticated attack methods.
Macma, a modular malware for macOS, first documented by Google‘s Threat Analysis Group (TAG) in 2021, has now been linked to Evasive Panda. Recent variants of Macma display ongoing development, incorporating new functionalities such as:
The connection between Macma and Evasive Panda is suggested by two of the latest variants that connect to a command and control (C2) IP address also used by an MgBot dropper. Moreover, both Macma and other malware in the group’s toolkit contain code from a shared custom library or framework, which is not available in public repositories. This library supports threat and synchronization primitives, event notifications and timers, data marshaling, and platform-independent abstractions. Evasive Panda uses this framework to build malware for Windows, macOS, Linux, and Android.
Another notable malware used by Evasive Panda is Nightdoor (also known as ‘NetMM’), a Windows backdoor recently attributed to the group by ESET. Symantec tracked Nightdoor in attacks where it was configured to connect to OneDrive and fetch a legitimate DAEMON Tools Lite Helper application (‘MeitUD.exe’) and a DLL file (‘Engine.dll’). These components create scheduled tasks for persistence and load the final payload into memory.
Nightdoor employs anti-VM code from the ‘al-khaser’ project and uses ‘cmd.exe’ to interact with C2 via open pipes. It supports the execution of commands for network and system profiling, such as ‘ipconfig,’ ‘systeminfo,’ ‘tasklist,’ and ‘netstat.’
In addition to these sophisticated malware tools, Evasive Panda has been seen deploying trojanized Android APKs, SMS and DNS request interception tools, and malware targeting obscure Solaris OS systems. These actions underline the group’s extensive capabilities and persistent threat to cybersecurity.
The ongoing development and deployment of these malware variants by Evasive Panda highlight the increasing complexity and sophistication of cyber threats. As organizations and cybersecurity firms continue to monitor and counter these threats, the importance of robust cybersecurity measures cannot be overstated.