Evasive Panda APT poisons DNS requests to deliver MgBot

MITRE Techniques

• [T1557 ] Adversary-in-the-Middle – Used to redirect legitimate website requests to attacker servers and serve payloads; ‘adversary-in-the-middle (AitM) attacks’.
• [T1574.002 ] DLL Side-Loading – Loader uses a signed legacy executable to load a malicious DLL and execute payloads; ‘resides in the memory space of a decade-old signed executable by using DLL sideloading’.
• [T1055 ] Process Injection – Implant executed in memory by injecting it into legitimate processes to maintain stealth; ‘allows them to execute their MgBot implant in memory by injecting it into legitimate processes’.
• [T1105 ] Ingress Tool Transfer – Second-stage shellcode and payloads retrieved from web resources controlled by the attacker (disguised as legitimate content); ‘obtained the encrypted second-stage shellcode, disguised as a PNG file, from the legitimate website dictionary[.]com’.
• [T1071.001 ] Application Layer Protocol: Web Protocols – HTTP requests with custom headers used to request tailored payloads and fingerprint OS versions; ‘sec-ch-ua-platform: windows %d.%d.%d.%d.%d.%d’.
• [T1195 ] Supply Chain Compromise – Use of forged update packages and fake updaters to distribute malware under the guise of legitimate software updates; ‘supply-chain compromise’.
• [T1189 ] Drive-by Compromise (Watering Hole) – Use of legitimate websites (e.g., dictionary[.]com) manipulated to serve payloads to targeted victims; ‘watering-hole attacks’.
• [T1027 ] Obfuscated Files or Information – Multiple stages of XOR obfuscation, compressed buffers, and encrypted strings to conceal configuration and code; ‘all relevant strings in the malware, such as SYSTEM and ext.exe, are encrypted, and the loader decrypts them with a specific XOR algorithm’.