Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Evasive Panda. Show all posts
Rasnowmare attacks
Cloud Service Cyber Attacks CyberCrime Cybersecurity Cyebrthreats Evasive Panda Rasnowmare attacks

Evasive Panda Unfurls Cloud Services Under Siege

 


Using stolen Web session cookies, Evasive Panda, a China-sponsored hacking team, has unveiled CloudScout, a sleek and professional toolset created to recover data from compromised cloud services. ESET researchers have discovered CloudScout through an investigation into a couple of past breaches in Taiwan (both targeting religious institutions and government organizations), which brought them to the attention of the company. The CloudScout application is written in .NET and was designed to offer seamless integration with MgBot, Evasive Panda's proprietary malware framework. 

In a step-by-step process, MgBot feeds CloudScout previously stolen cookies, then uses the pass-the-cookie technique to use the stolen cookies to access and infiltrate data on the cloud - a method that allows hacker to hijack authenticated Web browser sessions by hijacking the cookies. There are several names given to the "evasive Panda" group, including the "BRONZE HIGHLAND," the "Daggerfly," and the "StormBamboo" group. This group has operated at least since 2012. 

The objective of Evasive Panda is to engage in cyberespionage campaigns against countries, institutions, and individuals that oppose China's interests through the preparation and dissemination of spies, such as those in the Tibetan diaspora, religious and academic groups in Taiwan, Hong Kong, and groups supporting democracy within the Chinese society. As well as being observed in certain instances, its cyberespionage activities have the tendency to extend to other countries such as Vietnam, Myanmar, and South Korea at times. 

Evasive Panda has accumulated several attack vectors, which makes it an impressive attack strategy. There have been instances in which its operators have conducted sophisticated TTPs and exploits such as supply-chain and watering-hole attacks, DNS hijacking and other forms of attack; in addition, they have used the latest CVEs that affect Microsoft Office, Confluence, and web server applications to exploit the system. In addition to this, the group is demonstrating to be capable of creating sophisticated malware, which is shown by its collection of multi-platform backdoors for Windows, macOS, and Android, which are all well documented. 

It is most commonly used on Windows by hackers, mainly MgBot (a custom malware framework built with eight plugins, detailed in our previous blog post in which we explain its features), and Nightdoor, which was developed only recently. The backdoor, described in another blog post of ours, is a sophisticated backdoor that uses a public cloud to communicate with the command and control servers. CloudScout is designed with the internal framework allowing it to process complex tasks, such as configuring, managing, and decrypting cookies that are required to make web requests to the modules. 

As part of the CommonUtilities package, CloudScout can also manage HTTP requests and cookies, which allows the tool to adapt to the varied structures of each service being targeted, making it an effective tool for aggressive monitoring. During a period, the malware would monitor directories for new configuration files, calling for new extraction cycles that would then remove any evidence of activity. This would occur regularly. CloudScout employs a number of targeted methods that appear to have been designed for Taiwanese users, which is evident by the language preferences and region-specific configurations embedded within its modules that appear to be tailored for Taiwanese users. As a result of our analysis, it seems that CloudScout may have additional modules targeting social media, such as Facebook and Twitter, but we are not aware of these modules in active deployments at this time. 

The CloudScout tool set is a .NET toolset that Evasive Panda uses to steal data stored in cloud storage services, Ho explained. Using the pass-the-cookie technique, it hijacks authenticated sessions from web browsers that have been registered using a pass-the-cookie extension to the MgBot service. There is an alarming development in Canadian cyberspace as the Government of Canada has accused a "sophisticated state-sponsored threat actor" from China of conducting a broad, extensive reconnaissance campaign spanning several months, against a variety of domains within the country. 

In a recent statement, it was revealed that a majority of the targeted organizations were Canadian government departments and agencies, including federal political parties, as well as key legislative bodies such as the House of Commons and the Senate. Additionally, Evasive Panda, an advanced persistent threat (APT) group, targeted dozens of other entities spanning democratic institutions, critical infrastructure, defence sectors, media organizations, think tanks, and non-governmental organizations (NGOs). This broad reach underscores the serious nature of the ongoing cyber threat. Known by various aliases such as Bronze Highland, Daggerfly, and StormBamboo, Evasive Panda has been actively engaged in cyber espionage since at least 2012.

Its primary focus has been civil society targets, especially those associated with independence movements and democratic advocacy. ESET researchers note that this APT group is particularly focused on independence movements within the Tibetan diaspora, religious and academic organizations in Taiwan and Hong Kong, and democracy supporters within China. In recent years, Evasive Panda's operations have extended internationally, reaching regions such as Vietnam, Myanmar, South Korea, and, to a lesser extent, Nigeria. According to the researchers, Evasive Panda is known for continually evolving its cyberattack techniques. 

The latest attacks have demonstrated a marked increase in sophistication, signaling the group’s commitment to refining its approach and adapting to cybersecurity defenses. This new level of sophistication adds urgency for both national and international stakeholders to heighten their defenses and remain vigilant against this persistent and increasingly advanced cyber espionage threat.
Read more »
State Sponsored Hackers
Cyber Crime cyber espionage Daggerfly Evasive Panda State Sponsored Hackers

State-Sponsored Cyber Threats: Daggerfly’s Upgraded Malware Toolkit

State-Sponsored Cyber Threats: Daggerfly’s Upgraded Malware Toolkit

According to a Symantec investigation, the prolific Chinese espionage outfit Daggerfly (also known as Evasive Panda and Bronze Highland) has considerably modified its malware toolset, enhancing its ability to target the majority of key operating systems.

The most recent advancements indicate that the gang is employing a single framework to efficiently target Windows, Linux, macOS, and Android operating systems.

The researchers saw the group using new malware versions in recent operations against Taiwanese organizations and a US NGO operating in China.

The Evolution of Daggerfly

Daggerfly has been active for over a decade, conducting espionage operations both internationally and within China. Their primary targets have included government agencies, defense contractors, and various industries critical to national security. Over the years, Daggerfly has demonstrated a high level of sophistication in their cyber operations, continually evolving their tactics, techniques, and procedures (TTPs) to stay ahead of detection mechanisms.

Symantec reported in April 2023 on a Daggerfly campaign targeting an African telecoms business, in which the gang employed new plugins written with the MgBot malware platform.

In March 2024, ESET identified persistent Daggerfly campaigns targeting Tibetans in multiple countries and territories. The researchers observed the group using Nightdoor, a previously undocumented backdoor.

Daggerfly appears to be capable of responding to disclosure by quickly updating its toolset and continuing its espionage efforts with minimal disturbance.

The Upgraded Malware Arsenal

Symantec stated that it discovered proof that Daggerfly had created the macOS backdoor Macma. Macma was initially documented by Google in 2021, however, it appears to have been used since at least 2019.

According to Google's early study, the modular backdoor provides a variety of data exfiltration capabilities, such as device fingerprinting, command execution, screen capture, keylogging, audio recording, and file uploading and downloading.

A second version of Macma includes incremental improvements to the existing capabilities, such as more debug logging and updated modules in the appended data.

Its main module showed signs of more comprehensive changes, such as new logic to collect a file's system listing and changed code in the AudioRecorderHelper function.

Symantec linked Macma to Daggerfly after discovering two variants of the Macma backdoor connected to a command-and-control (C&C) server also used by a MgBot dropper.

Furthermore, Macma and other well-known Daggerfly malware, such as Mgbot, incorporate code from a single, shared library or framework that has been used to create threats for Windows, macOS, Linux, and Android platforms.

The researchers also noted Daggerfly's usage of the Windows backdoor Suzafk, which ESET initially identified as Nightdoor in March 2024.

Implications for Cybersecurity

Suzafk is a multi-stage backdoor that can use TCP or OneDrive for command and control. It was created using the same shared library as Mgbot, Macma, and several other Daggerfly utilities.

The researchers found a configuration indicating that the ability to connect to OneDrive is in development or exists in other malware copies.

In addition to the tools listed above, Symantec claims Daggerfly can Trojanize Android APKs, SMS interception tools, DNS request interception tools, and even malware families targeting the Solaris operating system.

The Broader Context of Cyber Espionage

Daggerfly’s activities are part of a broader trend of state-sponsored cyber espionage. Nation-states invest heavily in cyber capabilities to gain strategic advantages over their adversaries. These activities often target critical infrastructure, intellectual property, and sensitive government information.

The international community has recognized the threat posed by state-sponsored cyber espionage, leading to increased efforts to develop norms and agreements to govern state behavior in cyberspace. However, the covert nature of these operations makes attribution and enforcement challenging.

Read more »
Supply Chain
Cyber Attacks Evasive Panda MgBot State Sponsored Hackers Supply Chain

China State-Sponsored Spies Hack Site and Target User Systems in Asia


Chinese threat actors strike again

Users of a Tibetan language translation app and website visitors to a Buddhist festival were compromised by a focused watering-hole malware connected to a Chinese threat group.

According to recent data from ESET, the so-called Evasive Panda hacking team's cyber-operations campaign started in September 2023 or earlier and impacted systems in Taiwan, Hong Kong, Taiwan, Australia, and the United States.

During the campaign, the attackers gained access to the websites of three different businesses: a development company that provides translations into Tibetan; an organization based in India that promotes Tibetan Buddhism; and the news website Tibetpost, which unintentionally contained dangerous applications. Specific global geographic visitors to the sites were infected with droppers and backdoors, which included Nightdoor, a relatively new backdoor application, and the group's favourite MgBot.

Adversary in the middle attacks

According to ESET researcher Anh Ho, who uncovered the attack, the organization used an astonishing range of attack vectors in the campaign, including phishing emails, watering holes, and adversary-in-the-middle (AitM) attacks via software updates that took advantage of development servers.

"The fact that they orchestrate both a supply chain and watering-hole attack within the same campaign showcases the resources they have," according to him. "Nightdoor is quite complex, which is technically significant, but in my opinion, Evasive Panda's [most significant] attribute is the variety of the attack vectors they have been able to perform."

A relatively small unit called Evasive Panda is usually assigned to surveillance missions in Asia and Africa, mostly targeting individuals and organizations. As reported by SentinelOne, the organization is linked to attacks on telecom companies in 2023 under the code name Operation Tainted Love. According to Microsoft, it is also related to the attribution group Granite Typhoon, née Gallium. Symantec refers to it as Daggerfly as well, and Google Mandiant reports that it shares similarities with a group of cybercriminals and spies known as

Supply chain and watering holes compromises

The group, which has been active since 2012, is well-known for its supply chain attacks and for using stolen code-signing credentials and program upgrades in 2023 to infect users' PCs in China and Africa.

The organization commandeered a website for the Tibetan Buddhist Monlam festival in this most recent campaign, according to ESET's published analysis, to provide a backdoor or downloader tool that downloaded malicious payloads from a compromised Tibetan news site.

The hackers utilized Trojanized programs to infect Mac OS and Windows machines and also compromised a vendor of Tibetan translation software to further target consumers.

Cyber espionage links

Evasive Panda has created MgBot, a proprietary malware framework with a modular architecture that can download other components, run code, and steal data. MgBot modules can download further capabilities and spy on victims who have been hacked, among other things.

Using the MgBot downloader to deliver final payloads, Evasive Panda targeted users in India and Hong Kong in 2020, according to Malwarebytes, which connected the organization to earlier assaults in 2014 and 2018.

The organization released Nightdoor in 2020 as a backdoor that can be used to issue commands, upload data, and build a reverse shell by communicating with a command-and-control server.


Read more »
Subscribe to: Posts (Atom)