Cyber Security Threat Summary:
Security researchers from ESET have linked a Chinese APT hacking group, Evasive Panda, to an attack that distributed the MsgBot malware via an automatic update for the Tencent QQ messaging app. Evasive Panda has been active since at least 2012, targeting organizations and individuals in mainland China, Hong Kong, Macao, Nigeria, and several countries in Southeast and East Asia. ESET discovered the latest capagin in January 2022, but evidence suggest it began in 2020. The victims of the campaign, primarily are members of an international NGO, are concentrated in the provinces of Gangsu, Guangdong, and Jiangsu, indicating a specific and targeted approach.

“ESET reports that the malicious MsgBot malware payload was delivered to victims as a Tencent QQ software update from legitimate URLs and IP addresses belonging to the software developer. This means there can be two possible scenarios for the attack - a supply chain attack or an adversary-in-the-middle (AITM) attack. In the first scenario, Evasive Panda would have to breach into Tencent QQ's update distribution servers to trojanize the 'QQUrlMgr[.]exe' file delivered to victims under the guise of a legitimate software update. ESET noticed that the trojanized versions of the updater file fetch the malware from a hardcoded URL (“update.browser.qq[.]com”) and use a hardcoded decryption key that matches the correct MD5 hash provided by the server. However, the legitimacy of this URL has yet to be validated, and Tencent did not respond to ESET's question. Also, the analysts could not retrieve a sample of the XML update data from the server, which would reveal the malware delivery mechanism” (Bleeping Computer, 2023) .

ESET noticed similarities between the AiTM (Attacker-in-the-middle) scenario and past campaigns using this tactic, such as one by the LuoYu APT that Kaspersky highlighted in a 2022 report. The previous campaign used WinDealer malware, which generated random IP addressed from China Telecom for AITM interception, with the IP addresses being in the same range as those that delivered the MgBot malware in the Evasive Panda campaign. While both scenarios are possible based on the observed coincidences, ESET was unable to find conclusive evidence, and several questions remain unanswered. Bleeping Computer reached out to ESET and Tecent for further information about the attack.

Security Officer Comments:
The evasive Panda APT has been using the MgBot payload, a C++ Windows backdoor, since its inception in 2012. ESET notes that the malware's installer, backdoor, functionality, and execution chain have remained largely unchanged since Malwarebytes analyzed them in 2020. Mgbot uses a modular architecture that allows it to receive DLL plugins from the C2 to perform specialized functions such as stealing files, keylogging on Tecent apps, capturing audio streams, and stealing credentials from various email clients and browsers. The APT has been primarily targeting Chinese users and Chinese apps using an unclear method to carry out a supply chain attack on Tecent QQ software. This example of Evasive Panda's high level capabilities calls for greater vigilance from potential targets, as the group goes beyond typical infection methods like social engineering and phishing.

Suggested Corrections:
ESET has published IOCs that can be used to detect Evasive Panda APT Group:

https://www.welivesecurity.com/