Evasive Panda APT group delivers malware via updates for popular Chinese software

MITRE Techniques

• [T1583.004] Acquire Infrastructure – Acquire servers to be used for C&C infrastructure. ‘Evasive Panda acquired servers to be used for C&C infrastructure.’
• [T1587.001] Develop Capabilities: Malware – Evasive Panda develops its custom MgBot backdoor and plugins, including obfuscated loaders. ‘Develop Capabilities: Malware.’
• [T1059.003] Command and Scripting Interpreter: Windows Command Shell – MgBot’s installer launches the service from BAT files with the command net start AppMgmt. ‘ MgBot’s installer launches the service from BAT files with the command net start AppMgmt.’
• [T1106] Native API – MgBot’s installer uses the CreateProcessInternalW API to execute rundll32.exe to load the backdoor DLL. ‘MgBot’s installer uses the CreateProcessInternalW API to execute rundll32.exe to load the backdoor DLL.’
• [T1569.002] System Services: Service Execution – MgBot is executed as a Windows service. ‘MgBot is executed as a Windows service.’
• [T1543.003] Create or Modify System Process: Windows Service – MgBot replaces the path of the existing Application Management service DLL with its own. ‘ MgBot replaces the path of the existing Application Management service DLL with its own.’
• [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control – MgBot performs UAC Bypass. ‘MgBot performs UAC Bypass.’
• [T1140] Deobfuscate/Decode Files or Information – MgBot’s installer decrypts an embedded CAB file that contains the backdoor DLL. ‘MgBot’s installer decrypts an embedded CAB file that contains the backdoor DLL.’
• [T1112] Modify Registry – MgBot modifies the registry for persistence. ‘MgBot modifies the registry for persistence.’
• [T1027] Obfuscated Files or Information – MgBot’s installer contains embedded malware files and encrypted strings. MgBot contains encrypted strings. MgBot plugins contain embedded DLL files. ‘ MgBot contains encrypted strings.’
• [T1055.002] Process Injection: Portable Executable Injection – MgBot can inject Portable Executable files to remote processes. ‘MgBot can inject Portable Executable files to remote processes.’
• [T1555.003] Credentials from Password Stores: Credentials from Web Browsers – MgBot plugin module agentpwd.dll steals credential from web browsers. ‘ MgBot plugin module agentpwd.dll steals credential from web browsers.’
• [T1539] Steal Web Session Cookie – MgBot plugin module Gmck.dll steals cookies. ‘ MgBot plugin module Gmck.dll steals cookies.’
• [T1082] System Information Discovery – MgBot collects system information. ‘ MgBot collects system information.’
• [T1016] System Network Configuration Discovery – MgBot has the capability to recover network information. ‘ MgBot has the capability to recover network information.’
• [T1083] File and Directory Discovery – MgBot has the capability of creating file listings. ‘ MgBot has the capability of creating file listings.’
• [T1056.001] Input Capture: Keylogging – MgBot plugin module kstrcs.dll is a keylogger. ‘ MgBot plugin module kstrcs.dll is a keylogger.’
• [T1560.002] Archive Collected Data: Archive via Library – MgBot’s plugin module sebasek.dll uses aPLib to compress files staged for exfiltration. ‘sebasek.dll uses aPLib to compress files staged for exfiltration.’
• [T1123] Audio Capture – MgBot’s plugin module pRsm.dll captures input and output audio streams. ‘ MgBot’s plugin module pRsm.dll captures input and output audio streams.’
• [T1119] Automated Collection – MgBot’s plugin modules capture data from various sources. ‘ MgBot’s plugin modules capture data from various sources.’
• [T1115] Clipboard Data – MgBot’s plugin module Cbmrpa.dll captures text copied to the clipboard. ‘ MgBot’s plugin module Cbmrpa.dll captures text copied to the clipboard.’
• [T1025] Data from Removable Media – MgBot’s plugin module sebasek.dll collects files from removable media. ‘ MgBot’s plugin module sebasek.dll collects files from removable media.’
• [T1074.001] Data Staged: Local Data Staging – MgBot’s plugin modules stage data locally on disk. ‘ MgBot’s plugin modules stage data locally on disk.’
• [T1114.001] Email Collection: Local Email Collection – MgBot plugin modules are designed to steal credentials and email information from several applications. ‘ MgBot plugin modules are designed to steal credentials and email information from several applications.’
• [T1113] Screen Capture – MgBot can capture screenshots. ‘ MgBot can capture screenshots.’
• [T1095] Non-Application Layer Protocol – MgBot communicates with its C&C through TCP and UDP protocols. ‘ Non-Application Layer Protocol’
• [T1041] Exfiltration Over C2 Channel – MgBot performs exfiltration of collected data via C&C. ‘ Exfiltration of collected data via C&C.’