The Chinese hacking group tracked as ‘Evasive Panda’ was spotted using new versions of the Macma backdoor and the Nightdoor Windows malware.
Symantec’s threat hunting team spotted the cyber espionage attacks targeting organizations in Taiwan and an American non-governmental organization in China.
In the latter case, Evasive Panda (aka ‘Daggerfly’ or ‘Bronze Highland’) exploited a flaw in an Apache HTTP server to deliver a new version of their signature modular malware framework, MgBot, indicating a continuous effort to refresh their tools and evade detection.
Evasive Panda is believed to have been active since at least 2012, conducting both domestic and international espionage operations.
Most recently, ESET caught a strange activity where the cyberespionage group used Tencent QQ software updates to infect NGO members in China with the MgBot malware.
The breaches were achieved through a supply chain or an adversary-in-the-middle (AITM) attack, with the uncertainty around the exact attack method used highlighting the sophistication of the threat actor.
Macma linked to Evasive Panda
Macma is a modular malware for macOS, first documented by Google’s TAG in 2021 but never attributed to a specific threat group.
Symantec says recent Macma variants show ongoing development where its creators build upon the existing functionality.
The latest variants seen in suspected Evasive Panda attacks contain the following additions/improvements:
New logic to collect a file’s system listing, with the new code based on Tree, a publicly available Linux/Unix utility.
Modified code in the AudioRecorderHelper feature
Additional parametrisation
Additional debug logging
Addition of a new file (param2.ini) to set options to adjust screenshot size and aspect ratio
The first indication of a link between Macma and Evasive Panda is that two of the latest variants connect to a command and control (C2) IP address also used by a MgBot dropper.
Most importantly, Macma and other malware on the same group’s toolkit contain code from a single shared library or framework, which provides threat and synchronization primitives, event notifications and timers, data marshaling, and platform-independent abstractions.
“inp” and “tim” magic strings linked to the custom librarySource: Symantec
Evasive Panda has used this library to build malware for Windows, macOS, Linux, and Android. Since it is not available in any public repositories, Symantec believes it’s a custom framework used exclusively by the threat group.
Other Evasive Panda tools
Another malware that uses the same library is Nightdoor (aka ‘NetMM’), a Windows backdoor that ESET attributed to Evasive Panda a few months ago.
In the attacks Symantec tracked, Nightdoor was configured to connect to OneDrive and fetch a legitimate DAEMON Tools Lite Helper application (‘MeitUD.exe’) and a DLL file (‘Engine.dll’) that creates scheduled tasks for persistence and loads the final payload in memory.
Nightdoor uses an anti-VM code from the ‘al-khaser’ project and ‘cmd.exe’ to interact with C2 via open pipes.
It supports the execution of commands for network and system profiling, such as ‘ipconfig,’ ‘systeminfo,’ ‘tasklist,’ and ‘netstat.’
In addition to the malware tools used by Evasive Panda in attacks, Symantec has also seen threat actors deploy trojanized Android APKs, SMS and DNS request interception tools, and malware built to target obscure Solaris OS systems.