Mgbot

Malware Profile Updated 4 days ago
Download STIX
Preview STIX
MgBot is a malicious software (malware) used exclusively by the cyber threat group known as Evasive Panda. This malware, along with another custom-made Windows backdoor called Nightdoor, forms part of the group's toolkit for cyber attacks. These tools are typically delivered via malicious downloaders for both Windows and macOS systems. The MgBot malware, in particular, is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once inside a system, it can collect information about processes, disrupt operations, steal personal information, and even hold data hostage for ransom. The Evasive Panda attackers have utilized a mix of known and unknown tools, including Nightdoor and MgBot, for their operations. They have acquired servers for the command-and-control (C&C) infrastructure of these malwares, and also deployed a macOS downloader component. Both Nightdoor and MgBot possess self-uninstalling capabilities and can delete files, making them particularly evasive. Their loader components inject themselves into svchost.exe from where they load the respective backdoors. Additionally, specific global geographic visitors to certain sites were targeted with droppers and backdoors, which included Nightdoor and MgBot. Threat intelligence researchers have been able to link two variants of the Macma backdoor to MgBot by identifying overlap with another known tool, Daggerfly. This association was made possible due to the modular architecture of MgBot, which allows it to receive modules to enhance its capabilities and spy on victims. The Evasive Panda group has been known to use watering hole and supply chain tactics, targeting several networks in East Asia with these tools. The ultimate aim of the attackers is to infect website users with MgBot and Nightdoor using malicious downloaders for macOS and Windows.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
svchost.exe
1
Svchost.exe is a malware that exploits and damages computer systems by injecting malicious code into various processes. This harmful program can infiltrate your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, di
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Apt
Windows
Evasive
Dropper
Eset
Symantec
Downloader
Chinese
Tool
Macos
Loader
Espionage
T1016
Apache
At
T1082
t1555.003
Payload
Exploit
Vulnerability
t1543.003
t1548.002
T1041
T1112
t1569.002
t1055.002
T1539
t1056.001
t1587.001
T1083
T1095
T1140
t1560.002
T1123
t1059.003
T1106
T1027
T1119
T1115
T1025
t1114.001
AITM
T1113
t1074.001
Android
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
NightdoorUnspecified
3
Nightdoor is a complex malware attributed to the Evasive Panda APT group, a China-linked cyber-espionage team known for its diverse attack vectors and focus on surveillance of individuals and organizations in Asia and Africa. The malware was introduced by the group in 2020 and has been used alongsid
MacMaUnspecified
3
Macma is a potent malware that has been linked to the cyber-espionage group known as Daggerfly, also tracked as Evasive Panda and Bronze Highland. The malware, sometimes referred to as OSX.MacMa, was discovered loaded onto iPhone and macOS devices, enabling unauthorized access and data theft. Threat
PlugXUnspecified
1
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Evasive PandaUnspecified
5
Evasive Panda, a threat actor group also known as Bronze Highland and Daggerfly, has been identified as a significant cybersecurity threat. This group, believed to be aligned with China, has been deploying custom implants such as MgBot, Nightdoor, and a macOS downloader component, using these tools
DaggerflyUnspecified
4
DaggerFly, also known as Evasive Panda and Bronze Highland, is a Chinese-speaking Advanced Persistent Threat (APT) group that has been active since 2012. The group is known for its cyberespionage activities targeting individuals in mainland China, Hong Kong, Macao, and Nigeria. In addition to these
Bronze HighlandUnspecified
3
Bronze Highland, also known as Evasive Panda and Daggerfly, is a Chinese-speaking advanced persistent threat (APT) group that has been active since at least 2012. The group conducts cyberespionage against individuals in mainland China, Hong Kong, Macao, and Nigeria, along with specific organizations
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Mgbot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
3 days ago
Chinese Daggerfly uses a new version of Macma macOS backdoor
DARKReading
3 days ago
China's 'Evasive Panda' APT Spies on Taiwan Targets Across Platforms
InfoSecurity-magazine
3 days ago
Chinese Espionage Group Upgrades Malware to Target All Major OS
BankInfoSecurity
4 days ago
Chinese Cyberespionage Group Expands Malware Arsenal
CERT-EU
5 months ago
Well-equipped, resourced Chinese-backed hacking group targeting Tibetan networks | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
5 months ago
China State-Sponsored Spies Hack Site and Target User Systems in Asia
CERT-EU
5 months ago
Cyber Briefing: 2024.03.08. 👉 What are the latest cybersecurity… | by CyberMaterial | Mar, 2024 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
5 months ago
China Panda APT Hacking Websites To Infect Windows And MacOS Visitors With Malware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
CERT-EU
5 months ago
Cyber Security Week in Review: March 8, 2024
InfoSecurity-magazine
5 months ago
Evasive Panda Targets Tibet With Trojanized Software
CERT-EU
5 months ago
Evasive Panda leverages Monlam Festival to target Tibetans
DARKReading
5 months ago
China-Linked Cyber Spies Blend Watering Hole, Supply Chain Attacks
CERT-EU
10 months ago
My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
InfoSecurity-magazine
a year ago
Ukraine's CERT-UA Exposes Gamaredon's Rapid Data Theft Methods
CERT-EU
a year ago
Chinese APT Group Hijacks Software Updates for Malware Delivery | IT Security News
CERT-EU
a year ago
Cyber security week in review: April 21, 2023
CERT-EU
a year ago
Chinese Cyberspies Delivered Malware via Legitimate Software Updates | IT Security News
CERT-EU
a year ago
Chinese Cyberspies Delivered Malware via Legitimate Software Updates | Antivirus and Security news
CERT-EU
a year ago
Cyber security week in review: April 28, 2023
DARKReading
a year ago
China's 'Evasive Panda' Hijacks Software Updates to Deliver Custom Backdoor