Researchers at Eset discovered downloads of the Evasive Panda backdoor, MgBot, had been included in the update channels of otherwise legitimate applications. The campaign appeared aimed at stealing credentials and data for cyber espionage purposes and has been ongoing for two years. The attacks were able to target specific individuals in China and Nigeria, otherwise delivering uninfected updates to everyone else.
“During our investigation, we discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses,” intelligence analyst Facundo Munoz wrote in the post.
Researchers observed the highest number of infected updates coming from an updater for the Tencent QQ Windows client:
“Given the targeted nature of the attacks, we speculate that attackers would have needed to compromise the QQ update servers to introduce a mechanism to identify the targeted users to deliver them the malware, filtering out non-targeted users and delivering them legitimate updates,” Munoz wrote.
Roy Akerman, Co-Founder & CEO, Rezonate:
“Despite increased investment in supply chain defenses, attackers continue to bypass controls and drop malware with legitimate processes and applications. Tencent’s QQ Windows client has been used for a long time now as a way to socially engineer and distribute malware in a targeted manner. This approach enables a wide reach across the entire platform as well as offering the shield of authenticity.
“We’re seeing the targeting of accounts happening more often vs. the traditional spray and pray, to meet a specific objective. A layered defense, continuous education of employees and monitoring of identity behavior for abuse of privileges are more critical than ever.”
This illustrates how dangerous some of these threat actor groups are as packaging this backdoor as part of a legitimate update is pretty crafty. It shows that more needs to be done at both the technology and human level to stop attacks like these from being successful.
Like this:
Like Loading...
Related
This entry was posted on May 1, 2023 at 8:58 am and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
China’s ‘Evasive Panda’ Found Hijacking Updates For Espionage Purposes
Researchers at Eset discovered downloads of the Evasive Panda backdoor, MgBot, had been included in the update channels of otherwise legitimate applications. The campaign appeared aimed at stealing credentials and data for cyber espionage purposes and has been ongoing for two years. The attacks were able to target specific individuals in China and Nigeria, otherwise delivering uninfected updates to everyone else.
“During our investigation, we discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses,” intelligence analyst Facundo Munoz wrote in the post.
Researchers observed the highest number of infected updates coming from an updater for the Tencent QQ Windows client:
“Given the targeted nature of the attacks, we speculate that attackers would have needed to compromise the QQ update servers to introduce a mechanism to identify the targeted users to deliver them the malware, filtering out non-targeted users and delivering them legitimate updates,” Munoz wrote.
Roy Akerman, Co-Founder & CEO, Rezonate:
“Despite increased investment in supply chain defenses, attackers continue to bypass controls and drop malware with legitimate processes and applications. Tencent’s QQ Windows client has been used for a long time now as a way to socially engineer and distribute malware in a targeted manner. This approach enables a wide reach across the entire platform as well as offering the shield of authenticity.
“We’re seeing the targeting of accounts happening more often vs. the traditional spray and pray, to meet a specific objective. A layered defense, continuous education of employees and monitoring of identity behavior for abuse of privileges are more critical than ever.”
This illustrates how dangerous some of these threat actor groups are as packaging this backdoor as part of a legitimate update is pretty crafty. It shows that more needs to be done at both the technology and human level to stop attacks like these from being successful.
Share this:
Like this:
Related
This entry was posted on May 1, 2023 at 8:58 am and is filed under Commentary with tags ESET. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.