ButSpeak.com
News which Matters.
The Chinese hacking group Evasive Panda deploys updated Macma and Nightdoor malware variants in cyber espionage attacks targeting organizations in Taiwan and a US NGO in China, exploiting vulnerabilities and sophisticated attack methods.
Key Points
- Evasive Panda employs new variants of Macma and Nightdoor malware.
- Targets include organizations in Taiwan and a US NGO in China.
- Exploits Apache HTTP server vulnerability to deploy MgBot framework.
- Macma malware shows ongoing development with enhanced functionalities.
- Symantec and ESET track Evasive Panda’s sophisticated attack methods.
The notorious Chinese hacking group Evasive Panda, also known as ‘Daggerfly’ or ‘Bronze Highland,’ has been observed deploying updated variants of its signature malware in recent cyber espionage attacks. Symantec’s threat hunting team identified these attacks targeting organizations in Taiwan and an American non-governmental organization (NGO) in China.
In the attack on the NGO, Evasive Panda exploited a vulnerability in an Apache HTTP server to deliver a new version of their modular malware framework, MgBot. This indicates the group’s continuous efforts to refresh their tools and evade detection. Evasive Panda, active since at least 2012, is known for conducting both domestic and international espionage operations.
One of the significant recent developments involves the use of Tencent QQ software updates to infect NGO members in China with the MgBot malware. This breach was achieved through a supply chain or adversary-in-the-middle (AITM) attack, showcasing the group’s sophisticated attack methods.
Macma Malware Linked to Evasive Panda
Macma, a modular malware for macOS, first documented by Google‘s Threat Analysis Group (TAG) in 2021, has now been linked to Evasive Panda. Recent variants of Macma display ongoing development, incorporating new functionalities such as:
- New logic to collect a file’s system listing, based on Tree, a publicly available Linux/Unix utility.
- Modified code in the AudioRecorderHelper feature.
- Additional parameterization and debug logging.
- A new file (param2.ini) to set options for adjusting screenshot size and aspect ratio.
The connection between Macma and Evasive Panda is suggested by two of the latest variants that connect to a command and control (C2) IP address also used by an MgBot dropper. Moreover, both Macma and other malware in the group’s toolkit contain code from a shared custom library or framework, which is not available in public repositories. This library supports threat and synchronization primitives, event notifications and timers, data marshaling, and platform-independent abstractions. Evasive Panda uses this framework to build malware for Windows, macOS, Linux, and Android.
Other Tools in Evasive Panda’s Arsenal
Another notable malware used by Evasive Panda is Nightdoor (also known as ‘NetMM’), a Windows backdoor recently attributed to the group by ESET. Symantec tracked Nightdoor in attacks where it was configured to connect to OneDrive and fetch a legitimate DAEMON Tools Lite Helper application (‘MeitUD.exe’) and a DLL file (‘Engine.dll’). These components create scheduled tasks for persistence and load the final payload into memory.
Nightdoor employs anti-VM code from the ‘al-khaser’ project and uses ‘cmd.exe’ to interact with C2 via open pipes. It supports the execution of commands for network and system profiling, such as ‘ipconfig,’ ‘systeminfo,’ ‘tasklist,’ and ‘netstat.’
In addition to these sophisticated malware tools, Evasive Panda has been seen deploying trojanized Android APKs, SMS and DNS request interception tools, and malware targeting obscure Solaris OS systems. These actions underline the group’s extensive capabilities and persistent threat to cybersecurity.
The ongoing development and deployment of these malware variants by Evasive Panda highlight the increasing complexity and sophistication of cyber threats. As organizations and cybersecurity firms continue to monitor and counter these threats, the importance of robust cybersecurity measures cannot be overstated.
