Named as the Evasive Panda, which is China-linked threat group, has shut an unnamed internet service provider (ISP) to launch malicious software update attacks on other companies. This dramatic event that became publicized by the cybersecurity firm Volexity demonstrates the technical level of the group, which is also known as Bronze Highland, Daggerfly, and StormBamboo.
Based on the analysis of Evasive Panda campaigns, this APT has been operating since at least May 2012 and has been using MgBot and Nightdoor backdoors to steal information. However, they have lately incorporated MACMA as part of their weapons trove, which is a macOS malware strain discovered in 2021.
This way, Volexity’s investigation showed that the hackers used DNS poisoning to change responses for certain domains associated with automatic software updates and insecure communications protocols, such as HTTP. This method entailed them to release trojan updates for genuine applications like the Tencent QQ to the users. These updates contributed to the delivery of malware suitable for the OS; MgBot, for windows, and MACMA for macOS.
In one case, the attackers delivered a Google Chrome extension on macOS devices through the modification of Secure Preferences file. This was in fact a Trojan in the guise of a compatibility module for Internet Explorer, which stole browser cookies to a Google Drive account belonging to the hackers.
‘This attack emphasizes the importance of the reliable methods of software updates and protection against DNS poisoning,’ – stated the Volexity team, consisting of Saini, Rascagneres, Adair, and Lancaster.
The infiltrated ISP was immediately notified to address this concern which is DNS poisoning attack. The activities of Evasive Panda have been described in detail in reports of ESET and Synamtec, with the objective of the group consisting of watering hole attacks and supply chain attacks against both Tibetan users and NGOs that operate internationally.
This episode demonstrates that cyber espionage groups ‘adversaries’ are more advanced and how pivotal comprehensive cybersecurity is to counter such threats.