Researchers at ESET, a respected cybersecurity company, found that malware was being delivered to Chinese citizens through legitimate companies.
Hackers were able to exploit the backdoors of several Chinese companies in order to slip malware into regular software updates. The researchers have strong confidence that the Chinese hacking group, Evasive Panda, is behind the attack. ESET found that the malware was delivered through the use of the MGBot backdoor, the signature backdoor used by Evasive Panda.
“Evasive Panda uses a custom backdoor known as MgBot, which was publicly documented in 2014 and has seen little evolution since then; to the best of our knowledge, the backdoor has not been used by any other group.” said ESET, before asserting that it was Evasive Panda with “high confidence.”
The hacker group has been around since at least 2012 and operates under multiple aliases, like Daggerfly and BRONZE HIGHLAND. Its go-to method of attack is to implement its own custom framework into vulnerable systems that allows the group to insert its MgBot back door and deploy malware on victims’ machines.
“ESET Research has observed the group conducting cyberespionage against individuals in mainland China, Hong Kong, Macao, and Nigeria,” ESET reported. “Government entities were targeted in China, Macao, and Southeast and East Asian countries, specifically Myanmar, the Philippines, Taiwan, and Vietnam, while other organizations in China and Hong Kong were also targeted.”
This time, the researchers discovered a broader malware campaign going back to 2020, when Malwarebytes released a report detailing the MgBot being used. However, they aren’t sure if the attacks were done via a supply chain attack or compromised internet infrastructure.
What they do know is that the malware spied on Chinese citizens by stealing credentials and sensitive information, including your name, phone number, and even financial information.
If you’ve recently downloaded software updates, be sure to scan your machine with a quality antivirus to make sure no malicious files have been slipped in.