Evasive Panda APT Using AitM Attack and DNS Poisoning to Deliver Malware

The Evasive Panda APT group, also known as Bronze Highland, Daggerfly, and StormBamboo, has been running targeted campaigns since November 2022, using advanced techniques to deliver the MgBot malware.

The group employs adversary-in-the-middle attacks combined with DNS poisoning to compromise specific victims across multiple industries. Recent findings show that these operations continued until November 2024, affecting users in Türkiye, China, and India.

The threat actors disguise their malicious executables as legitimate software updates for popular applications like SohuVA, iQIYI Video, IObit Smart Defrag, and Tencent QQ.

When users attempt to download updates, the attackers manipulate DNS responses to redirect traffic to servers they control. The malicious package, named sohuva_update_10.2.29.1-lup-s-tp.exe, appears as a genuine update but delivers malware from an attacker-controlled resource.

Securelist researchers identified that the attackers used a DNS poisoning attack to alter the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP address.

This technique intercepts legitimate update requests and delivers malicious payloads instead. The group stores encrypted malware parts on their servers, which are resolved as responses to specific website DNS requests, making detection difficult.

The initial loader decrypts its configuration using an XOR-based decryption algorithm. It checks the logged-in username, and if the username is SYSTEM, the malware copies itself with a different name by adding the ext.exe suffix.

The loader then decrypts a 9,556-byte shellcode using a single-byte XOR key and stores it in the .data section.

Since this section lacks execute permission, the malware uses the VirtualProtect API to change the section’s permissions, allowing the shellcode to run without triggering security alerts.

Infection Mechanism and Hybrid Encryption

The Evasive Panda group uses a multi-stage infection process with hybrid encryption to make analysis harder. The first-stage shellcode searches for a specific DAT file in the malware’s installation directory.

If found, it decrypts the file using the CryptUnprotectData API, which ensures the data can only be decrypted on the infected machine. After decryption, the shellcode deletes the file to remove traces of the attack.

If the DAT file is not present, the shellcode downloads encrypted data from dictionary[.]com, which appears legitimate but has been compromised through DNS poisoning.

The attackers manipulate the IP address associated with this website, causing victim systems to resolve it to different attacker-controlled IP addresses based on geographic location.

The malware retrieves a second-stage shellcode disguised as a PNG file. This payload uses a custom hybrid encryption combining Microsoft’s Data Protection API and the RC5 algorithm.

The RC5 encryption key is encrypted using DPAPI and stored in the first 16 bytes of perf.dat, while the RC5-encrypted payload follows. To decrypt, the encrypted RC5 key is first decrypted with DPAPI, then used to decrypt the remaining file contents.

The secondary loader, libpython2.4.dll, relies on a legitimate signed executable named evteng.exe to achieve stealthy loading through DLL sideloading.

After decryption, the malware injects the MgBot implant into the legitimate svchost.exe process, allowing it to maintain persistence while avoiding detection.

The configuration includes campaign names, hardcoded command-and-control server IP addresses, and encryption keys, with some servers remaining active for multiple years.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.