August 5, 2024 at 01:24AM
Evasive Panda, a sophisticated China-linked cyber espionage group, compromised an ISP to push malware updates to target companies, displaying high levels of skill. The threat actor has been active since 2012, using various malware, including a macOS strain called MACMA. The group has targeted organizations through supply chain attacks, DNS poisoning, and deploying browser extensions for data exfiltration.
From the meeting notes on August 5, 2024, it is clear that the threat actor Evasive Panda is a highly sophisticated cyber espionage group that has been active since at least 2012. The group has been using various malware strains such as MgBot, Nightdoor, and MACMA to compromise third-parties, particularly internet service providers, in order to breach intended targets.
Some key points from the meeting notes include:
– Evasive Panda compromised an unnamed internet service provider to push malicious software updates to target companies, demonstrating a new level of sophistication.
– The group has been attributed to using a macOS malware strain called MACMA as well as backdoors like MgBot and Nightdoor, indicating a variety of malware employed in various campaigns.
– Evasive Panda was found to have targeted an international non-governmental organization in Mainland China with MgBot delivered via update channels of legitimate applications like Tencent QQ, with the attack involving DNS poisoning at the ISP level.
– The group also deployed a Google Chrome extension on a victim’s macOS device to exfiltrate browser cookies to a Google Drive account controlled by the adversary.
Overall, the meeting notes underscore the significant effort invested by Evasive Panda in orchestrating sophisticated attacks through the abuse of insecure update mechanisms and DNS poisoning. The insights from this meeting will be important in formulating an effective response to mitigate the threat posed by Evasive Panda.