Related Families: Macma, Suzafk
Verticals Targeted: NGO
Executive Summary
Evasive Panda recently updated its arsenal to include new TTPs and updated versions of existing malware. They were also observed using a shared framework for malware targeting Windows, Linux, MacOS, and Android systems.
Key Takeaways
- Evasive Panda recently updated its arsenal to include new TTPs and updated versions of existing malware.
- They were also observed using a shared framework for malware targeting Windows, Linux, MacOS, and Android systems.
- Updated malware includes Macma and Suzafk/Nightdoor backdoors.
- Other evidence of the group’s evolving capabilities includes the ability to trojanize APKs, SMS interception tools, and DNS request interception tools.
New TTPs Observed
Evasive Panda recently updated its arsenal to include new TTPs and updated versions of existing malware. They were also observed using a shared framework for malware targeting Windows, Linux, MacOS, and Android systems. Evasive Panda’s most recent campaign targeted entities in Taiwan and a US NGO base in China. Symantec reported on this activity.
Evasive Panda has reportedly updated its Macma backdoor. Macma is a modular backdoor that facilitates device fingerprinting, command execution, screen capture, keylogging, audio capture, and uploading and downloading files. The updated Macma backdoor variants exhibit an evolution of the malware. One new variant includes a different main module than previous versions. Another new variant shows evidence of incremental updates to existing functionality, including updated modules, file directory paths, filenames, and additional debug logging. This variant’s main module has also undergone updates.
While Macma was previously observed in the wild as early as 2019, it was only recently linked to Evasive Panda. Symantec researchers found evidence that points to Macma being associated with Evasive Panda, including use of infrastructure that was also used by an MgBot dropper and code from a shared library or framework. Evasive Panda has used this library to build malware to target Windows, MacOS, Linux, and Android.
Earlier this year, Evasive Panda was also observed using a new version of a Windows backdoor. The backdoor, known as Suzafk, Nightdoor, or NetMM, was developed using the same library mentioned above. Suzafk is a multistage backdoor that can use either TCP or OneDrive for C2.
Symantec also noted other examples of evolved Evasive Panda capabilities. In addition to being able to target most major OS platforms, Evasive Panda also has malware families that can target Solaris OS. They have the capability to trojanize APKs. They also have SMS interception tools and DNS request interception tools.
Who is Evasive Panda?
Evasive Panda, also known as Bronze Highland and Daggerfly, is a China aligned threat actor group. Evasive Panda has been active since at least 2012 and is known to conduct espionage campaigns against individual targets in China, Hong Kong, Macao, and Nigeria. They have also targeted government entities in Southeast and East Asia, telecommunications entities in Africa, and unspecified entities in Hong Kong, India, and Malaysia.
The group is known to use adversary in the middle attacks, hijacking updates of legitimate software to deliver its backdoors. Other Evasive Panda TTPs include use of a custom malware framework with modular architecture and the MgBot and Nightdoor backdoors. Earlier this year, Evasive Panda was observed targeting Tibetans using a combination of strategic web compromise and supply chain attacks to deliver Nightdoor.
IOCs
PolySwarm has multiple samples associated with this activity.
003764fd74bf13cff9bf1ddd870cbf593b23e2b584ba4465114023870ea6fbef
1f5e4d2f71478518fe76b0efbb75609d3fb6cab06d1b021d6aa30db424f84a5e
dad13b0a9f5fde7bcdda3e5afa10e7d83af0ff39288b9f11a725850b1e6f6313
570cd76bf49cf52e0cb347a68bdcf0590b2eaece134e1b1eba7e8d66261bdbe6
eff1c078895bbb76502f1bbad12be6aa23914a4d208859d848d5f087da8e35e0
d8a49e688f214553a7525be96cadddec224db19bae3771d14083a2c4c45f28eb
5687b32cdd5c4d1b3e928ee0792f6ec43817883721f9b86ec8066c5ec2791595
49079ea789e75736f8f8fad804da4a99db52cbaca21e1d2b6d6e1ea4db56faad
5c52e41090cdd13e0bfa7ec11c283f5051347ba02c9868b4fddfd9c3fc452191
3894a8b82338791764524fddac786a2c5025cad37175877959a06c372b96ef05
You can use the following CLI command to search for all Evasive Panda samples in our portal:
$ polyswarm link list -t EvasivePanda
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.