Cybersecurity researchers from ESET have detected a highly targeted, advanced cyber-espionage campaign abusing a legitimate Chinese messaging app to deliver a potent infostealer.
In the campaign, a threat actor known as Evasive Panda used an update to the Tencent QQ messaging app to deliver an infostealing malware (opens in new tab) known as MsgBot.
MsgBot is capable of many things, including logging keys on specific Tencent apps, stealing files from hard drives and USB disks, monitoring the clipboard, grabbing input and output audio streams, stealing passwords for Outlook and Foxmail, as well as the credentials and cookies stored in popular browsers (Chrome, Firefox, Opera, and others). It can also steal message history from the Tencent QQ app, and information from Tencent WeChat.
Targeting NGOs
The attackers did not cast a wide net with this infostealer. In fact, they targeted a handful of people. ESET says that the majority of the targets were members of an international non-government organization (NGO) located in three separate Chinese provinces: Gansu, Guangdong, and Jiangsu.
The group behind the campaign, called Evasive Panda, has allegedly been active for more than a decade (since 2012) and has, during that time, targeted countless organizations and individuals in China, Hong Kong, Macao, and other countries around Asia. This particular campaign has been active for more than three years, ESET claims, saying it most likely began back in 2020.
While the researchers know who runs the campaign, who the targets are, and which tools are being used, the “how” remains a mystery. ESET currently has two possible scenarios of how Evasive Panda infected these endpoints with MsgBot – either a supply chain attack or an adversary-in-the-middle attack.
With a supply chain attack, Evasive Panda would need to infiltrate Tencent’s network, identify an upcoming update for the Tencent QQ app and infect it with malware. In an adversary-in-the-middle attack, the payload would need to be hijacked and trojanized in transit.
Both scenarios are plausible, ESET says.
Via: BleepingComputer (opens in new tab)
