Ethical Hacking News
China-linked APT group Evasive Panda has unleashed a highly targeted DNS poisoning campaign to deliver MgBot malware to victims in Türkiye, China, and India. The attackers employed sophisticated techniques, including custom encryption algorithms and DNS manipulation, to evade detection and maintain persistence in compromised systems.
The Evasive Panda group has been linked to a sophisticated cyber espionage campaign using DNS poisoning. The attackers targeted victims in Türkiye, China, and India between November 2022 and November 2024. The malware, MgBot, is capable of harvesting files, logging keystrokes, and stealing credentials from web browsers. The attackers used a custom encryption algorithm to complicate analysis of the malicious payload. The campaign highlights the persistence and sophistication of China-linked APT groups.
A highly sophisticated and targeted cyber espionage campaign has been attributed to a China-linked advanced persistent threat (APT) group, known as Evasive Panda. The adversary, tracked under various aliases including Bronze Highland, Daggerfly, and StormBamboo, has been observed to be active since at least 2012, making it one of the most enduring APT groups in recent history.
The campaign, which was uncovered by Kaspersky, targeted victims in Türkiye, China, and India between November 2022 and November 2024. The attackers employed a complex technique known as DNS poisoning, where they manipulated Domain Name System (DNS) requests to redirect victims to attacker-controlled servers. This allowed the Evasive Panda group to deliver its signature MgBot malware to compromised systems.
The MgBot malware is a sophisticated piece of code that enables the attackers to harvest files, log keystrokes, gather clipboard data, record audio streams, and steal credentials from web browsers. The malware is capable of maintaining a stealthy presence in compromised systems for long periods of time, making it a formidable tool for cyber espionage.
The Evasive Panda group's use of DNS poisoning as a means of delivering malware is not new, but the complexity and sophistication of this particular campaign are unprecedented. The attackers appear to have manipulated IP addresses associated with legitimate websites, causing victim systems to resolve to attacker-controlled servers based on their geographical location and internet service provider.
Two possible scenarios are suspected to explain how the threat actor poisoned DNS responses. Firstly, it is possible that the ISPs used by the victims were selectively targeted and compromised to install some kind of network implant on edge devices. Alternatively, a router or firewall used by the victims was hacked for this purpose.
The HTTP request to obtain the second-stage shellcode also contains the current Windows version number, which suggests that the attackers are attempting to target specific operating system versions and adapt their strategy based on the operating system used. This is in line with previous attacks attributed to Evasive Panda, where the group has leveraged watering hole attacks to distribute malware.
The exact nature of the second-stage payload is unclear, but Kaspersky's analysis shows that the first-stage shellcode decrypts and runs the retrieved payload. It appears that the attacker used a complex process to obtain this stage from a resource, where it was initially XOR-encrypted. The attacker then decrypted this stage with XOR and subsequently encrypted and saved it to perf.dat using a custom hybrid of Microsoft's Data Protection Application Programming Interface (DPAPI) and the RC5 algorithm.
The use of a custom encryption algorithm is seen as an attempt to complicate analysis by ensuring that the encrypted data can only be decoded on the specific system where the encryption was initially performed, thereby blocking any efforts to intercept and analyze the malicious payload.
The decrypted code is an MgBot variant that is injected by the secondary loader into a legitimate "svchost.exe" process. This enables the malware to maintain a stealthy presence in compromised systems for long periods of time, making it a formidable tool for cyber espionage.
In conclusion, the Evasive Panda group's latest campaign highlights the sophistication and persistence of China-linked APT groups. The use of DNS poisoning as a means of delivering malware is a complex technique that requires significant resources and expertise to execute successfully. As such, this campaign serves as a reminder of the ongoing threat landscape and the importance of robust cybersecurity measures to protect against such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/A-China-Linked-Evasive-Panda-APT-Group-Unleashes-Highly-Targeted-DNS-Poisoning-Campaign-to-Deliver-MgBot-Malware-ehn.shtml
Published: Fri Dec 26 12:46:02 2025 by llama3.2 3B Q4_K_M
