Evasive Panda | |
Other Names | BRONZE HIGHLAND |
Date of initial activity | 2012 |
Location | China |
Suspected Attribution | APT |
Motivation | Cyberwarfare |
Associated Tools | MgBot |
Software | Windows |
Overview
Evasive Panda, a highly sophisticated Advanced Persistent Threat (APT) group, has been conducting covert cyberespionage operations since at least 2012, with its activities primarily focused on China and Southeast Asia. Known for its ability to remain undetected for extended periods, the group has successfully targeted a wide range of entities, including government institutions, international non-governmental organizations (NGOs), and private companies. What sets Evasive Panda apart from many other threat actors is its strategic exploitation of legitimate software update mechanisms to deliver malicious payloads, making its attacks particularly difficult to detect.
A key tool in Evasive Panda’s arsenal is the MgBot backdoor, a custom-built malware that serves as the foundation for the group’s espionage efforts. MgBot operates with a modular architecture, allowing it to receive and deploy a wide array of plugin modules tailored for different spying activities. These modules are designed to collect keystrokes, steal credentials, exfiltrate files, and even capture audio and video streams from infected systems. What makes MgBot especially insidious is its ability to blend into routine software updates from trusted Chinese software platforms, including widely used applications such as Tencent’s QQ, making it a potent weapon for highly targeted attacks.
In recent operations, Evasive Panda has used hijacked update channels to compromise legitimate software, distributing malware to select individuals and organizations. Victims, often unaware of any breach, continue to use compromised software while their data is siphoned off to remote command-and-control (C2) servers operated by the attackers. These campaigns are not only focused on mainland China, but have also extended to targets in Hong Kong, Taiwan, and as far as Nigeria, demonstrating the global reach and ambition of the group.
Common Targets
Information
Individuals
Public Administration – India
Hong Kong
Taiwan
China
Attack vectors
Software Vulnerabilities
How they work
At the core of Evasive Panda’s operations is MgBot, a modular malware platform that enables the group to execute a variety of espionage activities. MgBot is designed to collect sensitive information, execute commands, and maintain persistent access to compromised systems. What makes MgBot particularly dangerous is its modularity—allowing the attackers to expand its capabilities through additional plugins that can be deployed as needed. These plugins perform various functions, such as keystroke logging, credential theft, clipboard data capture, and even audio surveillance. This adaptability has allowed Evasive Panda to evolve its tactics to suit its objectives, making it one of the more elusive and dangerous APT groups.
Evasive Panda is particularly skilled at blending in with legitimate network traffic, often distributing its malware through trusted software updates or third-party applications. This tactic, known as supply chain compromise, allows the group to bypass traditional security measures and deliver their malware to a wide array of targets. A notable example of this was their compromise of legitimate software update mechanisms for applications widely used in China, enabling them to infect users while hiding behind the guise of legitimate updates. This technique underscores the group’s focus on stealth and persistence.
Their campaigns are meticulously tailored to their targets, leveraging spear-phishing attacks and other social engineering techniques to gain initial access. Once inside a network, Evasive Panda moves laterally through systems, seeking valuable information. Their keylogger plugin, for instance, has been used to steal credentials from platforms like Tencent QQ—a popular instant messaging application in China. Meanwhile, their clipboard and browser session hijacking tools allow them to capture sensitive information that could otherwise evade detection by traditional cybersecurity tools.
Another key aspect of Evasive Panda’s operation is their use of robust Command and Control (C2) infrastructures. These C2 servers facilitate encrypted communication between infected systems and the attackers, ensuring that sensitive data exfiltration can occur covertly. By maintaining such a secure communication network, Evasive Panda can relay commands, gather intelligence, and extract valuable data without triggering alerts from network monitoring tools.
The group’s focus on espionage is evident in their targeting patterns, which often align with Chinese political, economic, or military interests. Their operations span multiple regions, including Vietnam, Taiwan, and other countries in Southeast Asia. However, their attacks have also been observed outside of this primary area, indicating that their objectives may include broader geopolitical or economic espionage activities.
Despite being active for several years, Evasive Panda has managed to avoid significant disruption to its operations, a testament to its operational security measures. The group frequently alters its attack infrastructure and command servers to avoid detection, and its use of legitimate software as an infection vector allows them to evade many cybersecurity defenses.
MITRE Tactics and Techniques
Resource Development
T1583.004: Acquire Infrastructure: Server
Evasive Panda acquires and maintains command-and-control (C2) servers to facilitate malware communication with infected machines.
T1587.001: Develop Capabilities: Malware
The group develops custom malware, such as MgBot and its various plugins, to extend its functionality and maintain persistent access to compromised systems.
Execution
T1059.003: Command and Scripting Interpreter: Windows Command Shell
MgBot uses Windows command shells for launching backdoor commands during execution.
T1106: Native API
MgBot uses the CreateProcessInternalW API to execute its backdoor components, allowing the attackers to manipulate processes and services.
T1569.002: System Services: Service Execution
MgBot is executed as a Windows service, allowing it to maintain persistence and remain active on compromised systems.
Persistence
T1543.003: Create or Modify System Process: Windows Service
The malware replaces or modifies existing system services, such as the Application Management service, to maintain its foothold on the system.
Privilege Escalation
T1548.002: Abuse Elevation Control Mechanism: Bypass User Account Control
MgBot performs User Account Control (UAC) bypass techniques to escalate privileges and gain higher access to the system.
Defense Evasion
T1140: Deobfuscate/Decode Files or Information
MgBot uses obfuscation techniques to hide its malicious code, including encrypted strings and embedded malware files, making detection more difficult.
T1112: Modify Registry
The malware modifies Windows registry keys to achieve persistence and evade detection.
T1027: Obfuscated Files or Information
MgBot installers and plugins are obfuscated, using techniques to conceal their true nature and make analysis challenging for defenders.
T1055.002: Process Injection: Portable Executable Injection
MgBot is capable of injecting its malicious code into other processes to remain hidden from detection mechanisms.
Credential Access
T1555.003: Credentials from Password Stores: Credentials from Web Browsers
MgBot’s plugins, such as agentpwd.dll, are designed to steal credentials from popular web browsers like Chrome, Firefox, and Edge.
T1539: Steal Web Session Cookie
The Gmck.dll plugin steals cookies from browsers, allowing attackers to hijack web sessions and potentially bypass authentication mechanisms.
Discovery
T1082: System Information Discovery
MgBot gathers information about the infected system, including OS version, hardware details, and running processes.
T1016: System Network Configuration Discovery
The malware collects information about the network configuration, such as IP addresses and DNS settings, to facilitate lateral movement or exfiltration.
T1083: File and Directory Discovery
MgBot can create detailed file listings, helping attackers locate valuable information for exfiltration.
Collection
T1056.001: Input Capture: Keylogging
The keylogger plugin kstrcs.dll logs keystrokes, especially when users interact with specific applications like Tencent QQ.
T1119: Automated Collection
MgBot plugins automate the collection of data, such as files, credentials, and clipboard content, without user interaction.
T1115: Clipboard Data
The Cbmrpa.dll plugin captures data from the clipboard, potentially including passwords and other sensitive information.
T1123: Audio Capture
The pRsm.dll plugin records audio input and output from the system’s microphone and speakers.
T1114.001: Email Collection: Local Email Collection
MgBot’s plugins are designed to steal email credentials and messages from email clients such as Outlook and Foxmail.
Command and Control
T1095: Non-Application Layer Protocol
MgBot communicates with its C2 servers using TCP and UDP protocols, ensuring attackers can remotely control compromised machines.
Exfiltration
T1041: Exfiltration Over C2 Channel
MgBot exfiltrates collected data through its C2 channels, ensuring that stolen information is securely transmitted back to the attackers.