Kaspersky has released new findings on a sophisticated cyber espionage campaign by the Evasive Panda threat actor. The attackers executed malware by injecting it into legitimate system processes and maintained a stealthy presence in compromised systems. The operation, active from November 2022 to November 2024, has compromised systems in Türkiye, China, and India, with some infections persisting for over a year. This revelation underscores the group's evolving tactics and their commitment to long-term infiltration of targeted networks.
The attack employs deceptive lures disguised as legitimate software updates for popular Windows applications, including SohuVA, iQIYI Video, IObit Smart Defrag, and Tencent QQ. These fake updaters are designed to blend seamlessly with trusted software, allowing the attackers to initiate malicious activities without immediate detection. The attackers also used a DNS poisoning technique to deliver a malware component from their server, making it appear as if it was stored on a popular legitimate website.
At the core of the attack is the decade-old MgBot implant, a modular malware framework used by Evasive Panda for cyber espionage since at least 2012, featuring plugins for tasks like keylogging, file theft, and command execution. For attacks in 2022-2024, MgBot was updated with new configurations, including multiple command-and-control (C2) servers to ensure intrusion redundancy and prolonged access.
"This campaign exemplifies the attackers’ efforts in evading defenses while reusing proven tools like MgBot. In a two-year long campaign, they've demonstrated a resource-intensive and persistent approach which exploits user trust in everyday applications to maintain footholds in critical systems. What stands out is their adaptive deployment strategy, tailoring implants to specific OS environments on the server side, allowing for highly targeted espionage. Organizations need proactive, intelligence-driven security measures to counter such enduring campaigns," comments Fatih Sensoy, security expert at Kaspersky.
Kaspersky urges organizations and individual users to remain vigilant against this and similar threats. Based on the investigation, Kaspersky recommends the following:
· Organizations should enforce multi-factor authentication for software updates and use endpoint detection tools to scrutinize update packages for anomalies, such as unexpected file placements or code similarities to known malicious templates.
· Organizations should enhance network monitoring for Adversary-in-the-Middle (AitM) attacks indicators: Regularly audit DNS responses and network traffic for signs of poisoning or interception.
· Organizations should also train users to recognize phishing lures disguised as updates from trusted vendors.
· Individual users should perform proactive scans for malware using proven protective solutions.
Detailed information is available on Securelist.
