A China-linked advanced persistent threat (APT) group has been attributed to a highly-targeted cyber espionage campaign in which the adversary poisoned Domain Name System (DNS) requests to deliver its signature MgBot backdoor in attacks targeting victims in Türkiye, China, and India.
The activity, Kaspersky said, was observed between November 2022 and November 2024. It has been linked to a hacking group called Evasive Panda, which is tracked as Bronze Highland, Daggerfly, and StormBamboo. It’s assessed to be active since at least 2012.
“The group mainly performed adversary-in-the-middle (AitM) attacks on specific victims,” Kaspersky researcher Fatih Åžensoy said in a deep-dive analysis. “These included techniques such as dropping loaders into specific locations and storing encrypted parts of the malware on attacker-controlled servers, which were resolved as a response to specific website DNS requests.”
This is not the first time Evasive Panda’s DNS poisoning capabilities have come to the fore. As far back as April 2023, ESET noted that the threat actor may have either carried out a supply chain compromise or an AITM attack to serve trojanized versions of legitimate applications like Tencent QQ in an attack targeting an international non-governmental organization (NGO) in Mainland China.
In August 2024, a report from Volexity revealed how the threat actor compromised an unnamed internet service provider (ISP) by means of a DNS poisoning attack to push malicious software updates to targets of interest.
Evasive Panda is also one of the many China-aligned threat activity clusters that have relied on AitM poisoning for malware distribution. In an analysis last month, ESET said it’s tracking 10 active groups from China that have leveraged the technique for initial access or lateral movement, including LuoYu, BlackTech, TheWizards APT, Blackwood, PlushDaemon, and FontGoblin.
In the attacks documented by Kaspersky, the threat actor has been found to make use of lures that masquerade as updates for third-party software, such as SohuVA, a video streaming service from the Chinese internet company Sohu. The malicious update is delivered from the domain “p2p.hd.sohu.com[.]cn,” likely indicating a DNS poisoning attack.
“There is a possibility that the attackers used a DNS poisoning attack to alter the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP address, while the genuine update module of the SohuVA application tries to update its binaries located in appdata\roaming\shapp\7.0.18.0\package,” Åžensoy explained.
The Russian cybersecurity vendor said it also identified other campaigns in which Evasive Panda utilized a fake updater for Baidu’s iQIYI Video, as well as IObit Smart Defrag and Tencent QQ.
The attack paves the way for the deployment of an initial loader that’s responsible for launching shellcode that, in turn, fetches an encrypted second-stage shellcode in the form of a PNG image file, again by means of DNS…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
