A China-linked Advanced Persistent Threat (APT) group has been implicated in targeted cyber espionage operations. In this campaign, adversaries compromised domain name systems (DNS) and requested delivery of its signature MgBot backdoor in attacks targeting victims in Turkiye, China, and India.
According to Kaspersky, this activity was observed from November 2022 to November 2024. avoid pandaBronze Highland, Daggerfly, and StormBamboo. It is believed to have been active since at least 2012.
“The group mainly carried out man-in-the-middle attacks (AitM) against specific victims,” Kaspersky researcher Fatih Shensoy said in a detailed analysis. “These included techniques to drop loaders in specific locations or store encrypted portions of the malware on attacker-controlled servers, which were resolved in response to DNS requests for specific websites.”
This is not the first time that Evasive Panda’s DNS poisoning capabilities have surfaced. ESET noted that in attacks targeting international non-governmental organizations (NGOs) in mainland China dating back to April 2023, threat actors may have carried out supply chain compromise or AitM attacks to provide Trojanized versions of legitimate applications such as Tencent QQ.
In August 2024, a Volexity report revealed how attackers can use DNS poisoning attacks to compromise anonymous internet service providers (ISPs) and push malicious software updates to their intended targets.
Evasive Panda is also one of many China-aligned threat activity clusters that rely on AitM poisoning to distribute malware. In an analysis last month, ESET said it was tracking 10 active Chinese groups that exploited the technology for initial access and lateral movement, including LuoYu, BlackTech, TheWizards APT, Blackwood, PlushDaemon, and Font Goblin.
Attacks documented by Kaspersky Lab have found threat actors using decoys disguised as updates to third-party software, such as SohuVA, the video streaming service from Chinese internet company Sohu. This malicious update comes from the domain p2p.hd.sohu.com(.)cn and likely indicates a DNS poisoning attack.
“While the legitimate update module of the SohuVA application was attempting to update the binaries located at appdataroamingshapp7.0.18.0package, the attacker may have used a DNS poisoning attack to change the DNS response for p2p.hd.sohu.com(.)cn to the IP address of a server controlled by the attacker,” Şensoy explained.
The Russian cybersecurity vendor said Evasive Panda also identified other campaigns that utilized fake updaters from Baidu’s iQIYI Video, IObit Smart Defrag, and Tencent QQ.
This attack paves the way for the deployment of an initial loader responsible for launching the shellcode, which then obtains the encrypted second-stage shellcode in the form of a PNG image file via DNS poisoning, also from the legitimate website Dictionary(.)com.
Evasive Panda allegedly manipulated IP addresses associated with dictionary(.)com, causing victims’ systems to resolve websites to attacker-controlled IP addresses based on their geographic location and internet service provider.
At this time, it is unclear how the attacker is poisoning the DNS responses. However, there are two possible scenarios. One is that either the victim’s ISP was selectively targeted and compromised and some kind of network implant was installed on the edge device, or the victim’s router or firewall was hacked for this purpose.
The HTTP request to retrieve the second stage shellcode also includes the current Windows version number. This could be an attempt by the attacker to target specific operating system versions and adapt their strategy based on the operating system being used. It is worth noting that Evasive Panda has previously used watering hole attacks to distribute Apple macOS malware codenamed MACMA.
The exact nature of the second-stage payload is unknown, but Kaspersky Lab’s analysis indicates that the first-stage shellcode decrypts and executes the retrieved payload. It has been evaluated that attackers generate a second, encrypted shellcode file that is unique for each victim as a way to evade detection.
A key aspect of this operation is the use of a secondary loader (‘libpython2.4.dll’) that relies on a renamed older version of ‘python.exe’ that is sideloaded. Once launched, it reads the contents of a file named “C:ProgramDataMicrosofteHomeperf.dat” to download and decrypt the next stage of the malware. This file contains the decrypted payload downloaded in the previous step.
“The attackers appear to have used a complex process to obtain this stage from resources that were initially XOR encrypted,” Kaspersky said. “The attacker then decrypted this stage with XOR, then encrypted it using a custom hybrid of Microsoft’s Data Protection Application Programming Interface (DPAPI) and RC5 algorithm and stored it in perf.dat.”
The use of custom encryption algorithms is considered an attempt to complicate analysis by ensuring that encrypted data can only be decrypted on the specific system on which the encryption was originally performed, blocking any efforts to intercept and analyze the malicious payload.
The decrypted code is a variant of MgBot that is injected into the legitimate “svchost.exe” process by a secondary loader. A modular implant, MgBot can collect files, log keystrokes, collect clipboard data, record audio streams, and steal credentials from web browsers. This allows the malware to remain silently present on a compromised system for an extended period of time.
“The Evasive Panda threat actor has once again demonstrated its advanced capabilities, persisting on target systems for extended periods of time and using new techniques and tools to evade security measures,” Kaspersky said.
