The China-linked Advanced Persistent Threat (APT) group has been blamed for a highly targeted cyberespionage campaign that involved rival poisoning domain name systems (DNS) requesting victims in Turkey, China and India to deliver their signature MGBot backdoor in targeted attacks.
The activity was observed between November 2022 and November 2024, Kaspersky said. It has been linked to a hacking group Procrastinating PandaTracked as Bronze Highland, Daggerfly and Stormbamboo. It is estimated to have been active since at least 2012.
“The group primarily conducted adversary-in-the-middle (AITM) attacks on specific victims,” Kaspersky researcher Fatih Sensoy said in an in-depth analysis. “These included techniques such as dropping the loader in specific locations and storing encrypted parts of the malware on attacker-controlled servers, which were resolved in response to specific website DNS requests.”
This is not the first time Evasive Panda’s DNS poisoning capabilities have come to light. As of April 2023, ESET noted that in an attack targeting an international non-governmental organization (NGO) in Mainland China, the threat actor may have used an AITM attack to either compromise the supply chain or serve up a Trojan version of legitimate applications such as Tencent QQ.
In August 2024, a report from Volexity revealed how a threat actor compromised an unnamed Internet Service Provider (ISP) via a DNS poisoning attack to deliver malicious software updates to targets of interest.
Evasive Panda is also one of several China-aligned threat activity groups that rely on AITM poisoning for malware distribution. In an analysis last month, ESET said it was tracking 10 active groups in China that have taken advantage of the technology for early access or lateral movement, including Luoyu, Blacktek, The Wizards APT, Blackwood, PlushDemon and FontGoblin.
In attacks documented by Kaspersky, threat actors have been found to use lures that masquerade as updates to third-party software, such as SohuVia, the video streaming service from Chinese internet company Sohu. The malicious update is distributed from the domain “p2p.hd.sohu.com”[.]cn,” possibly indicating a DNS poisoning attack.
“There is a possibility that attackers used a DNS poisoning attack to alter the DNS response of p2p.hd.sohu.com[.]CN to the IP address of the attacker-controlled server, while the actual update module of the SohuVIA application attempts to update its binaries located in AppData\Roaming\Curse\7.0.18.0\Packages,” Sensoy explained.
The Russian cybersecurity vendor said it also identified other campaigns in which Evasive Panda used Baidu’s iQIYI video, as well as IObit Smart Defrag and a fake updater for Tencent QQ.
This attack leads to the deployment of an initial loader that is responsible for launching the shellcode, which, in turn, obtains an encrypted second-stage shellcode as a PNG image file through DNS poisoning from the legitimate website dictionary.[.]com.
Evasive Panda is said to have manipulated the IP address associated with the dictionary[.]com, allowing the victim system to resolve the website to an attacker-controlled IP address based on its geographic location and Internet service provider.
It is currently not known how the threat actor is poisoning DNS responses. But two possible scenarios are suspected: either the ISPs used by the victims were selectively targeted and compromised to establish some kind of network implant on edge devices, or the routers or firewalls used by the victims were hacked for this purpose.
The HTTP request to obtain the second-stage shellcode also includes the current Windows version number. This is likely an attempt on the part of the attackers to target specific operating system versions and adapt their strategy based on the operating system used. It’s worth noting that Evasive Panda has previously taken advantage of watering hole attacks to distribute Apple macOS malware codenamed MACMA.
The exact nature of the payload of the second stage is unclear, but Kaspersky’s analysis suggests that the shellcode of the first stage decrypts and runs the recovered payload. It has been assessed that attackers generate a unique encrypted second shellcode file for each victim as a way to bypass detection.
An important aspect of operation is the use of a secondary loader (“libpython2.4.dll”) that relies on an older version of “python.exe” to be sideloaded. Once launched, it downloads and decrypts the next stage of malware by reading the contents of a file named “C:\ProgramData\Microsoft\eHome\perf.dat”. This file contains the decrypted payload downloaded from the previous step.
“It appears that the attacker used a complex process to obtain this step from a resource where it was initially XOR-encrypted,” Kaspersky said. “The attacker decrypted this step with XOR and subsequently encrypted and saved it in perf.dat using a custom hybrid of Microsoft’s Data Protection Application Programming Interface (DPAPI) and RC5 algorithms.”
The use of a custom encryption algorithm is seen as an attempt to complicate analysis by ensuring that encrypted data can only be decoded on the specific system where the encryption was initially performed and blocks any attempts to intercept and analyze the malicious payload.
The decrypted code is a MgBot variant that is injected by the secondary loader into the legitimate “svchost.exe” process. MGBot, a modular implant, is capable of collecting files, logging keystrokes, collecting clipboard data, recording audio streams, and stealing credentials from web browsers. This enables malware to maintain a latent presence in compromised systems for long periods of time.
“The evasive Panda threat actor has once again demonstrated its advanced capabilities, circumventing security measures with new techniques and tools while maintaining long-term persistence in targeted systems,” Kaspersky said.
