ESET analysts have noticed that the Chinese hack group Evasive Panda has hacked into the Tencent app and attacked an unnamed international non-governmental organization (NGO) operating in China.
The attack was carried out using the MgBot 악성 코드, which was made part of an automatic update for the Tencent QQ messenger.
우리도 그렇게 썼다는 것을 상기시켜 드리겠습니다. 중국 정부 해커들이 유럽 조직을 성공적으로 감시했습니다, 호주 및 동남아시아, 그리고 그것도 두 개의 해킹 그룹이 4년 된 버그를 사용해 미국 연방 기관을 동시에 해킹했습니다.. And also the media wrote that Chinese Cybercriminals Stole over $500 million from Indians.
Evasive Panda, also known as Bronze Highland 그리고 Daggerfly, is a Chinese APT group that has been linked since 2012 to cyber-espionage attacks targeting various targets in China, Hong Kong and other countries located in East and South Asia.
One of the distinguishing features of the grouping is the use of the MgBot modular framework, which is able to receive additional components on the fly to expand its information collection capabilities. 그래서, among the capabilities of this malware written in C ++, there are file theft, keylogging, data theft from the clipboard, audio recording and theft of credentials from browsers.
동시에, most MgBot plugins are designed to steal information from popular Chinese applications, including QQ, WeChat, QQBrowser and Foxmail, developed by Tencent.
ESET says it discovered the Evasive Panda malware campaign in January 2022, when a legitimate Chinese app was used to deploy the MgBot backdoor installer. According to the company, the targets of the hackers were in the provinces of Gansu, Guangdong and Jiangsu and were members of an unnamed international non-governmental organization. 재미있게, the MgBot backdoor installer appears to have been discovered and removed while it was being downloaded to the victims’ computers, and attempts to compromise were unsuccessful.
연구자들에 따르면, the MgBot malicious payload was delivered to victims as an update for Tencent QQ from legitimate URLs and IP addresses belonging to the developers of this software. Effectively, this means that either a supply chain attack or an adversary-in-the-middle attack has occurred.
In the first case, Evasive Panda would have had to hack into Tencent QQ’s update servers in order to infect the QQUrlMgr.exe file with malware, which was then delivered to the victims under the guise of a legitimate update.
The researchers note that malicious versions of the update file downloaded the malware itself from a hard-coded URL (update.browser.qq[.]com) and used a hard-coded decryption key that matched the correct MD5 hash provided by the server. 하지만, the legitimacy of this URL has not yet been confirmed, and Tencent representatives did not answer the question of ESET. 게다가, analysts were unable to obtain a sample of the XML data from the server, which would have provided a better understanding of the malware delivery mechanism.
Possible attack pattern
As for the second scenario, adversary-in-the-middle attacks, the researchers noticed similarities with other malware campaigns that used this tactic, including one of the LuoYu APT attacks.
During that campaign, 그만큼 WinDealer malware was used, which generated random China Telecom IP addresses to perform AITM attacks. These IP addresses appeared to be in the same ranges as the ones that the MgBot delivered in the Evasive Panda campaign.
게다가, attackers could compromise vulnerable devices such as routers or gateways and use them to attack.
코멘트를 남겨주세요