A new malware campaign utilizing a custom backdoor called MgBot has been detected by security researchers at ESET.

The campaign is believed to be carried out by the APT group Evasive Panda, which is also known as Daggerfly and Bronze Highland.

The cyberespionage group has been active since 2012, with a historical focus on targeting individuals and government entities in several Asian and African countries, including mainland China, India, Hong Kong, Macao, Malaysia, Myanmar, the Philippines, Nigeria, Taiwan, and Vietnam.

During an investigation into a MgBot backdoor attack in January 2022, ESET uncovered a more extensive malicious campaign that began in 2020 and persisted throughout 2021.

The campaign targeted individuals in China’s Gansu, Guangdong, and Jiangsu provinces.

Facundo Munoz, an Eset security intelligence analyst and malware researcher, said that during the investigation, “we discovered that when performing automated updates, a legitimate application software component downloaded MgBot backdoor installers from legitimate URLs and IP addresses.“

According to the researchers, the MgBot backdoor is unique to Evasive Panda, and they have not observed any other threat actors using it.

This made it relatively simple to attribute the malicious activity to the Chinese APT group, as the use of their custom malware is a characteristic trademark of Evasive Panda’s operations.

The modular nature of the malware allows the group to spy on their targets and expand their capabilities as needed during the course of their attacks.

During their investigation, ESET observed that the trojanized versions of the updater file retrieve the malware from a hardcoded URL, which appears to be “update.browser.qq[.]com“.

The malware is decrypted using a hardcoded key that matches the MD5 hash provided by the server.

However, it is important to note that the legitimacy of this URL has not been verified, and ESET has yet to receive a response from Tencent when asked about it.

According to TheHackerNews, the observed behavior suggests two possible scenarios: either a compromise of Tencent QQ’s update servers through a supply chain attack or an adversary-in-the-middle (AitM) attack, as previously described by Kaspersky in June 2022.

Kaspersky’s report detailed an AitM attack carried out by a Chinese hacking group known as LuoYu.

According to ESET, there is insufficient evidence to support or dismiss either hypothesis in favor of the other.

Both methods have been used in previous Chinese APT attacks. Pointed out by SecurityWeek, the MgBot backdoor used in these attacks is developed in C++ and uses plugins to extend its capabilities.

It allows attackers to collect a vast amount of data from victims’ Windows machines.

The malware has the ability to record keystrokes, steal files from hard disks, USB drives, and CDs, as well as scrape clipboard content and capture audio.

Additionally, it can steal credentials from multiple applications, including Outlook, Foxmail, Chrome, Firefox, FileZilla, Opera, QQBrowser, WinSCP, and more.

The malware can also steal browser cookies.