For the past three years, hackers have been foisting malware onto legitimate apps performing auto updates via China-based servers

A state sponsored threat group (advanced persistent threat or APT) known as Evasive Panda has been conducting a campaign in which legitimate applications from China were hijacked to also deliver the installer for the MgBot malware (the APT’s flagship cyberespionage backdoor) since 2020.

Recent telemetry from cybersecurity firm ESET established that targeted users were located in China’s Gansu, Guangdong, and Jiangsu provinces, with a majority of the Chinese victims being members of international non-governmental organizations (NGO).

Evasive Panda (also known as BRONZE HIGHLAND and Daggerfly) is a Chinese-speaking APT group, active since at least 2012. ESET’s researchers have observed the group conducting cyberespionage against individuals in mainland China, Hong Kong, Macao. One victim of this campaign was verified to be located in Nigeria and the compromise was achieved via use of the Chinese software Mail Master by NetEase.

According to ESET researcher Facundo Muñoz, who discovered this campaign: “Evasive Panda uses a custom backdoor known as MgBot that has seen little evolution since its discovery in 2014. To the best of our knowledge, the backdoor has not been used by any other group. Therefore, we attribute this activity to Evasive Panda with high confidence. During our investigation starting in Jan 2022, we had discovered that several legitimate Chinese application software components, when performing automated updates, also downloaded MgBot backdoor installers from legitimate URLs and IP addresses.”

MgBot’s modular architecture allows its functionality to be extended through the addition of downloaded software plugins. The backdoor can record keystrokes; steal files and credentials and content from messaging apps QQ and WeChat; and capture both audio streams and text copied to the clipboard.

Muñoz’ team speculates that attackers would have needed to compromise the QQ update servers to introduce a mechanism to identify the targeted users in order to deliver the malware, and filter out non-targeted users for delivering legitimate updates. “This is because we registered cases where legitimate updates were downloaded through the same abused protocols. On the other hand, Adversary-in-the-Middle approaches to interception would have been possible if the attackers had been able to compromise vulnerable devices such as routers or gateways to gain access to ISP infrastructure,” he said.