Security News > 2023 > April > Chinese Hackers Using MgBot Malware to Target International NGOs in Mainland China

The advanced persistent threat group referred to as Evasive Panda has been observed targeting an international non-governmental organization in Mainland China with malware delivered via update channels of legitimate applications like Tencent QQ. The attack chains are designed to distribute a Windows installer for MgBot malware, ESET security researcher Facundo Muñoz said in a new report published today.

The group's hallmark is the use of the custom MgBot modular malware framework, which is capable of receiving additional components on the fly to expand on its intelligence-gathering capabilities.

ESET, which discovered the campaign in January 2022 after a legitimate Chinese application was used to deploy an installer for the MgBot backdoor, said the targeted users were located in the Gansu, Guangdong, and Jiangsu provinces and are members of an unnamed international NGO. The trojanized application is the Tencent QQ Windows client software updater hosted on the domain "Update.browser.qq[.]com." It's not immediately clear how the threat actor managed to deliver the implant through legitimate updates.

It points to either of the two scenarios, a supply chain compromise of Tencent QQ's update servers or a case of an adversary-in-the-middle attack, as detailed by Kaspersky in June 2022 involving a Chinese hacking crew dubbed LuoYu.

In recent years, many software supply chain attack has been orchestrated by nation-state groups from Russia, China, and North Korea.

This is significant as the findings come less than a week after Broadcom-owned Symantec detailed attacks mounted by the threat actor against telecom service providers in Africa using the MgBot malware framework.

News URL

https://thehackernews.com/2023/04/chinese-hackers-using-mgbot-malware-to.html