Insight Into Evasive Panda: A Closer Look at the Latest Cyber Espionage Campaign
Overview of Evasive Panda’s Activities
A recent cybersecurity analysis by Kaspersky sheds light on the intricacies of a cyber espionage campaign linked to a group known as Evasive Panda. This threat actor, also referred to as Bronze Highland, Daggerfly, and StormBamboo, has allegedly been active since at least 2012. The group specifically employed a technique called Domain Name System (DNS) poisoning to facilitate their operations, targeting victims primarily in Türkiye, China, and India between November 2022 and November 2024.
Techniques Utilized by Evasive Panda
According to Kaspersky researcher Fatih Şensoy, Evasive Panda has honed in on a method called adversary-in-the-middle (AitM) attacks. This approach allowed them to drop malicious loaders into specific locations while storing encrypted components of their malware on servers they control. These operations usually followed DNS responses to particular website requests.
DNS Poisoning: A Key Strategy
This isn’t the first instance where Evasive Panda’s DNS manipulation has been noted. A previous report from ESET in April 2023 indicated that the group had potentially executed a supply chain compromise or AitM attack. This targeted an international NGO in Mainland China by distributing trojanized applications like Tencent QQ. Further, in August 2024, Volexity revealed that Evasive Panda had compromised an unnamed Internet Service Provider (ISP) through DNS poisoning, enabling them to distribute malicious software updates to specified targets.
Lures and Payloads
In these attacks, Evasive Panda has been found using deceptive tactics, masquerading as updates for legitimate software. One of the examples includes phony updates for SohuVA, a video streaming service from Sohu. This update was delivered from a specific domain believed to be part of the DNS poisoning effort. As noted by Şensoy, attackers likely altered DNS responses to redirect users to a server controlled by them during these update processes.
Additionally, the group has been observed using fake update modules for other software applications, including Baidu’s iQIYI Video, IObit Smart Defrag, and Tencent QQ.
Delivery of Malicious Payloads
One of the more sophisticated elements of Evasive Panda’s operations is the delivery of an initial loader responsible for executing shellcode. This initially fetched shellcode, disguised as a PNG image, is retrieved via DNS poisoning from legitimate websites like dictionary.com. It appears they have manipulated the IP address related to these sites, causing victims’ systems to resolve them to malicious addresses based on geographical location.
The extent to which Evasive Panda is able to poison DNS responses remains an area of investigation. Speculation suggests the group may have compromised ISPs or routers to execute their attacks selectively.
Targeting Systems and Longer-Term Impacts
As the campaign unfolded, victims’ Windows versions were often requested via HTTP to tailor the attack based on specific system attributes. Kaspersky highlights how Evasive Panda has previously used watering hole attacks to spread malware, such as MACMA targeting Apple’s macOS.
While the exact nature of the second-stage payload remains unclear, the initial shellcode’s role is to decrypt and execute the retrieved payload, which is likely customized for each victim to avoid detection.
The Complexity of Malware Deployment
A notable aspect of this campaign is the secondary loader known as “libpython2.4.dll.” This loader uses an older version of “python.exe” and retrieves the next-stage malware by reading a file stored in a system directory. Kaspersky detailed how attackers employ a complex encryption method for the payload, making it deliberately challenging to analyze.
By utilizing a hybrid encryption approach, Evasive Panda ensures that their data remains decoupled from any analysis efforts unless decrypted directly on the intended system. Upon successful execution, the nefarious code—an MgBot variant—is injected into the legitimate “svchost.exe” process. This malware is capable of significant malicious actions, such as harvesting files, logging keystrokes, capturing clipboard information, recording audio, and stealing web browser credentials.
Conclusion: An Evolving Threat Landscape
Evasive Panda continues to illustrate its advanced cyber capabilities, employing innovative techniques to evade security measures while establishing a long-term presence in targeted systems. The ongoing evolution of their methods underscores the importance of vigilance in cybersecurity practices to combat such sophisticated attacks.
