top of page

Evasive Panda: The Famous Chinese Hacking Group’s Evolving Arsenal and Espionage Activities


The Famous  Chinese hacking group tracked as 'Evasive Panda,' also known as 'Daggerfly' or 'Bronze Highland,' has once again become the  headlines of the news by  making  its continuous development and deployment of sophisticated malware targeting both macOS and Windows systems. Symantec’s threat hunting team recently discovered new versions of the Macma backdoor and the Nightdoor Windows malware, highlighting the group's persistent cyber espionage efforts.

Recent Attacks and Techniques

Evasive Panda known for its  long history of cyber espionage, has  believed to be active since 2012. Their operations have targeted organizations in Taiwan and an American non-governmental organization (NGO) in China. One significant attack led by Daggerfly   involved exploiting a flaw in an Apache HTTP server to deliver a new version of their signature modular malware framework, MgBot. This attack showcases their ongoing efforts to update their tools and evade detection.

In another incident, ESET observed that the hackers of Evasive Panda they were trying hard and became successful in leveraging Tencent QQ software updates and they infected NGO members in China with MgBot malware. The breaches were achieved through sophisticated methods such as supply chain attacks or adversary-in-the-middle (AITM) attacks, reflecting the group's advanced capabilities.

Macma: A Modular macOS Malware

Macma is a modular malware for macOS, first documented by Google’s Threat Analysis Group (TAG) in 2021. Although initially unattributed, recent findings by Symantec have linked Macma to Evasive Panda. The latest variants of Macma exhibit ongoing development with several notable enhancements:

·        New logic for file system listing: Incorporates code based on the 'Tree' utility to list files and directories.

·        Modified AudioRecorderHelper: Enhances audio recording features.

·        Additional parametrization and debug logging: Improves functionality and troubleshooting.

·        New file (param2.ini): Sets options for adjusting screenshot size and aspect ratio.

The connection between Macma and Evasive Panda was confirmed when two Macma variants were found communicating with a command and control (C2) server also used by a MgBot dropper. Additionally, Macma and other malware in the group's toolkit share code from a custom library, providing essential functions like synchronization primitives and platform-independent abstractions.

Nightdoor: A Versatile Windows Backdoor

Nightdoor, also known as 'NetMM,' is a key component of Evasive Panda's toolkit. This Windows backdoor was attributed to Evasive Panda by ESET in early 2024. Symantec discovered that Nightdoor was used in attacks where it connected to OneDrive to fetch a legitimate DAEMON Tools Lite Helper application and a DLL file, which created scheduled tasks for persistence and loaded the final payload into memory.

Nightdoor employs various techniques to maintain its presence and avoid detection:

·        Anti-VM code: Uses code from the 'al-khaser' project to evade virtual machine-based analysis.

·        Command execution: Capable of executing commands such as 'ipconfig,' 'systeminfo,' 'tasklist,' and 'netstat' for network and system profiling.

·        C2 interaction via open pipes: Allows secure communication with its command and control server.

Broader Toolset and Capabilities

Evasive Panda has developed a wide range of malware tools targeting multiple platforms, including macOS, Windows, Linux, Android, and even the obscure Solaris OS. These tools include trojanized Android APKs, SMS and DNS request interception tools, and various other custom-built malware. This extensive toolkit demonstrates the group's adaptability and resourcefulness in achieving their espionage objectives.

Conclusion

Evasive Panda still  remains a significant threat in the cyber espionage landscape. And  their continuous development and deployment of sophisticated malware like Macma and Nightdoor highlight their commitment to evading detection and compromising valuable targets. As they refine their tools and techniques, it is crucial for organizations to stay vigilant and implement robust cybersecurity measures to defend against such advanced threats. The group's ability to quickly update their toolset in response to exposure further underscores the importance of proactive cybersecurity practices in mitigating the risks posed by such persistent adversaries.

コメント


bottom of page