Chinese Hackers Using MgBot Malware to Target International NGOs in Mainland China

April 26, 2023IRavie LakshmananCyber ​​threat / APT Group

MgBot malware

The so-called Advanced Persistent Threat Group (APT). Evasive Panda has been observed targeting an international non-governmental organization (NGO) in mainland China with malware delivered through legitimate app update channels such as Tencent QQ.

The attack chains are designed to distribute a Windows installer for the MgBot malware, ESET security researcher Facundo Muñoz said in a new report published today. The activity started in November 2020 and continued throughout 2021.

Evasive Panda, also known as Bronze Highland and Daggerfly, is a Chinese-speaking APT group that has been blamed for a series of cyber espionage attacks targeting various entities in China, Hong Kong and other countries located in East and South Asia since at least recently. end of December 2012.

The group’s hallmark is its use of the MgBot custom modular malware framework, which is capable of receiving additional components on the fly to expand its intelligence-gathering capabilities.

Some of the prominent features of the malware include stealing files, logging keystrokes, collecting clipboard data, recording audio streams, and stealing credentials from web browsers.

ESET, which discovered the campaign in January 2022 after a legitimate Chinese app was used to deploy an installer for the MgBot backdoor, said the targeted users were in the provinces of Gansu, Guangdong and Jiangsu and are members of an unnamed international NGO.

The trojanized application is the Tencent QQ Windows client software updater (“QQUrlMgr.exe”) hosted in the “update.browser.qq” domain.[.]com.” It is not immediately clear how the threat actor managed to deliver the implant via legitimate updates.

MgBot malware

But it points to either scenario, a supply chain compromise of Tencent QQ’s update servers, or an adversary-in-the-middle (AitM) attack case, as Kaspersky detailed in June 2022 with a Chinese pirate team called LuoYu. .

In recent years, many attacks on the software supply chain have been orchestrated by state groups in Russia, China and North Korea. The ability to build a large malicious footprint quickly has not been lost on these attackers, who are increasingly targeting the IT supply chain to breach enterprise environments.


Zero Trust + Deception – Learn to Outsmart Attackers!

Learn how Deception can detect advanced threats, stop lateral movement, and improve your Zero Trust strategy. Join our in-depth webinar!

Save my seat!

“AitM interception styles would be possible if attackers, whether LuoYu or Evasive Panda, were able to compromise vulnerable devices such as routers or gateways,” Munoz explained.

“With access to the ISP’s backbone infrastructure, through legal or illegal means, Evasive Panda could intercept and respond to update requests made via HTTP, or even modify packets.”

This is significant as the findings come less than a week after Broadcom-owned Symantec detailed attacks by the threat actor against telecom service providers in Africa using the MgBot malware framework .

Did you find this article interesting? Follow us at Twitter and LinkedIn to read more exclusive content we publish.

Source link
Ikaroa, a full stack tech company, has received reports of Chinese hackers using MgBot malware to target international Non-Governmental Organizations (NGOs) in mainland China. The malware is specifically designed to identify, collect and delete sensitive information, perpetuating a targeted attack.

According to the reports, the purpose of these targeted cyber-attacks is to gain access to internal operations of international NGOs. Mgbot is a sophisticated type of malware; it is designed to evade antivirus software, making it difficult to detect and defend against. The code of Mgbot is written in Python and it contains a wide range of exploits that can be used against a variety of international NGO systems.

Ikaroa has been working with NGO partners to understand the scale of the issue and to provide advice on security best practices. These can include monitoring activity across the networks of NGOs and implementing a robust patching strategy to ensure common exploitation techniques are remediated. Additionally, social engineering can be used to provide users with preventative guidance on how to identify and avoid malicious campaigns deployed by hackers.

Despite the challenges posed by Mgbot malware, Ikaroa is committed to ensuring the safety and security of international NGOs. As such, we remain dedicated to providing ongoing advice and support to our NGO partners, as we continue to be vigilant against further malicious activities.


Leave a Reply

Your email address will not be published. Required fields are marked *