A China-linked advanced persistent threat (APT) group has been attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India.
The activity, Kaspersky said, was observed between November 2022 and November 2024. It has been linked to a hacking group called Evasive Panda, which is tracked as Bronze Highland, Daggerfly, and StormBamboo. It’s assessed to be active since at least 2012.
“The group mainly performed adversary-in-the-middle (AitM) attacks on specific victims,” Kaspersky researcher Fatih Şensoy said in a deep-dive analysis. “These included techniques such as dropping loaders into specific locations and storing encrypted parts of the malware on attacker-controlled servers, which were resolved as a response to specific website DNS requests.”
This is not the first time Evasive Panda’s DNS poisoning capabilities have come to the fore. As far back as April 2023, ESET noted that the threat actor may have either carried out a supply chain compromise or an AitM attack to serve trojanized versions of legitimate applications like Tencent QQ in an attack targeting an international non-governmental organization (NGO) in Mainland China.
In August 2024, a report from Volexity revealed how the threat actor compromised an unnamed internet service provider (ISP) by means of a DNS poisoning attack to push malicious software updates to targets of interest.
Evasive Panda is also one of the many China-aligned threat activity clusters that have relied on AitM poisoning for malware distribution. In an analysis last month, ESET said it’s tracking 10 active groups from China that have leveraged the technique for initial access or lateral movement, including LuoYu, BlackTech, TheWizards APT, Blackwood, PlushDaemon, and FontGoblin.
In the attacks documented by Kaspersky, the threat actor has been found to make use of lures that masquerade as updates for third-party software, such as SohuVA, a video streaming service from the Chinese internet company Sohu. The malicious update is delivered from the domain “p2p.hd.sohu.com[.]cn,” likely indicating a DNS poisoning attack.
“There is a possibility that the attackers used a DNS poisoning attack to alter the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP address, while the genuine update module of the SohuVA application tries to update its binaries located in appdata\roaming\shapp\7.0.18.0\package,” Şensoy explained.
The Russian cybersecurity vendor said it also identified other campaigns in which Evasive Panda utilized a fake updater for Baidu’s iQIYI Video, as well as IObit Smart Defrag and Tencent QQ.
The attack paves the way for the deployment of an initial loader that’s responsible for launching shellcode that, in turn, fetches an encrypted second-stage shellcode in the form of a PNG image file, again by means of DNS poisoning from the legitimate website dictionary[.]com.
Evasive Panda is said to have manipulated the IP address associated with dictionary[.]com, causing victim systems to resolve the website to an attacker-controlled IP address based on their geographical location and internet service provider.
It’s currently not known how the threat actor is poisoning DNS responses. But two possible scenarios are suspected: either the ISPs used by the victims were selectively targeted and compromised to install some kind of a network implant on edge devices, or a router or firewall used by the victims was hacked for this purpose.
The HTTP request to obtain the second-stage shellcode also contains the current Windows version number. This is likely an attempt on the part of the attackers to target specific operating system versions and adapt their strategy based on the operating system used. It’s worth noting that Evasive Panda has previously leveraged watering hole attacks to distribute an Apple macOS malware codenamed MACMA.
The exact nature of the second-stage payload is unclear, but Kaspersky’s analysis shows that the first-stage shellcode decrypts and runs the retrieved payload. It’s assessed that the attackers generate a unique encrypted second shellcode file for each victim as a way to bypass detection.
A crucial aspect of the operations is the use of a secondary loader (“libpython2.4.dll”) that relies on a renamed, older version of “python.exe” to be sideloaded. Once launched, it downloads and decrypts the next-stage malware by reading the contents of a file named “C:\ProgramData\Microsoft\eHome\perf.dat.” This file contains the decrypted payload downloaded from the previous step.
“It appears that the attacker used a complex process to obtain this stage from a resource, where it was initially XOR-encrypted,” Kaspersky said. “The attacker then decrypted this stage with XOR and subsequently encrypted and saved it to perf.dat using a custom hybrid of Microsoft’s Data Protection Application Programming Interface (DPAPI) and the RC5 algorithm.”
The use of a custom encryption algorithm is seen as an attempt to complicate analysis by ensuring that the encrypted data can only be decoded on the specific system where the encryption was initially performed and block any efforts to intercept and analyze the malicious payload.
The decrypted code is an MgBot variant that’s injected by the secondary loader into a legitimate “svchost.exe” process. A modular implant, MgBot, is capable of harvesting files, logging keystrokes, gathering clipboard data, recording audio streams, and stealing credentials from web browsers. This enables the malware to maintain a stealthy presence in compromised systems for long periods of time.
“The Evasive Panda threat actor has once again showcased its advanced capabilities, evading security measures with new techniques and tools while maintaining long-term persistence in targeted systems,” Kaspersky said.
