The Evasive Panda advanced persistent threat (APT) group, also known by aliases such as Bronze Highland, Daggerfly, and StormBamboo, has been actively conducting targeted cyberattacks since November 2022. Their latest campaign, which continued until November 2024, leverages sophisticated adversary-in-the-middle (AitM) attacks combined with DNS poisoning to deploy the stealthy MgBot malware. This intricate operation has reportedly affected users in Türkiye, China, and India.
Researchers have observed Evasive Panda meticulously disguising malicious executables as legitimate software updates for popular applications. These include well-known programs like SohuVA, iQIYI Video, IObit Smart Defrag, and Tencent QQ. The attackers’ modus operandi involves manipulating DNS responses during users’ attempts to download these updates. This redirection steers victims’ traffic towards servers under the attackers’ control, facilitating the delivery of the malicious payload. A specific example identified was a file named sohuva_update_10.2.29.1-lup-s-tp.exe, which masqueraded as a genuine update but instead delivered malware from an attacker-controlled resource. Securelist researchers detailed how the group altered the DNS response for p2p.hd.sohu.com[.]cn to point to an attacker-controlled IP address, a key element in their DNS poisoning strategy.
Evasive Panda’s Advanced Malware Delivery Tactics
The Evasive Panda APT group employs a multi-stage infection process designed to evade detection and analysis. Upon execution, the initial loader decrypts its configuration using an XOR-based algorithm. A crucial step in its operation involves checking the logged-in username. If the username is detected as “SYSTEM,” the malware proceeds to copy itself to a different location, appending the “.ext.exe” suffix to its new filename, further complicating identification efforts.
Following this, the loader decrypts a substantial shellcode, measuring 9,556 bytes, using a single-byte XOR key. This decrypted shellcode is then placed within the executable’s .data section. Recognizing that this section typically lacks execute permissions, the malware strategically utilizes the VirtualProtect API. This function modifies the section’s permissions, enabling the shellcode to run unhindered and bypass many security alerts that monitor for unauthorized code execution in restricted memory regions. This technique is vital for maintaining stealth throughout the initial stages of the attack.
Infection Mechanism and Hybrid Encryption by Evasive Panda
The Evasive Panda group’s infection mechanism is characterized by its multi-layered approach and the use of hybrid encryption. This combination is specifically engineered to make its operations exceedingly difficult to analyze and expose. The first-stage shellcode actively searches for a specific DAT file within the malware’s installation directory. If this file is found, the shellcode employs the CryptUnprotectData API to decrypt its contents. This API ensures that the data can only be decrypted on the initially compromised machine, adding a layer of local security to their operation. After successful decryption, the shellcode meticulously deletes the DAT file, thereby erasing critical traces of the attack from the infected system.
In instances where the DAT file is absent, the shellcode resorts to downloading encrypted data from dictionary[.]com. While this domain appears legitimate, it has been compromised and is being used by the attackers through DNS poisoning. The threat actors manipulate the IP address associated with this website. This manipulation causes victim systems to resolve the domain to different IP addresses under the attackers’ control, often dynamically based on the user’s geographic location. This GEO-IP targeting allows for more efficient delivery of specific payloads.
The malware then retrieves a secondary shellcode, which is ingeniously disguised as a PNG file. This payload utilizes a custom hybrid encryption technique that merges Microsoft’s Data Protection API (DPAPI) with the RC5 algorithm. The RC5 encryption key itself is encrypted using DPAPI and then embedded within the first 16 bytes of a file named perf.dat. The actual RC5-encrypted payload follows this key. To decrypt the payload, the encrypted RC5 key is first decrypted using DPAPI. Subsequently, this recovered RC5 key is applied to decrypt the remaining contents of the file.
For stealthy loading, the secondary loader, identified as libpython2.4.dll, relies on a legitimate, signed executable named evteng.exe. This technique, known as DLL sideloading, allows the malicious DLL to be loaded by a trusted process, significantly reducing the chances of detection by security software. Following the decryption process, the malware injects the final MgBot implant into the legitimate svchost.exe process. This tactic is crucial for maintaining persistence on the infected system while simultaneously blending in with normal system operations and avoiding detection.
The configuration data for the MgBot implant includes vital information such as campaign names, hardcoded command-and-control (C2) server IP addresses, and encryption keys. Notably, some of these C2 servers have reportedly remained active and operational for multiple years, indicating a level of sophistication and long-term planning by the Evasive Panda group. The ongoing nature of these campaigns and the continuous evolution of their techniques highlight the persistent threat posed by APT groups like Evasive Panda.