Mgbot

Malware updated 2 months ago (2024-07-23T12:17:38.466Z)

Download STIX

Preview STIX

MgBot is a malicious software (malware) used exclusively by the cyber threat group known as Evasive Panda. This malware, along with another custom-made Windows backdoor called Nightdoor, forms part of the group's toolkit for cyber attacks. These tools are typically delivered via malicious downloaders for both Windows and macOS systems. The MgBot malware, in particular, is designed to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. Once inside a system, it can collect information about processes, disrupt operations, steal personal information, and even hold data hostage for ransom. The Evasive Panda attackers have utilized a mix of known and unknown tools, including Nightdoor and MgBot, for their operations. They have acquired servers for the command-and-control (C&C) infrastructure of these malwares, and also deployed a macOS downloader component. Both Nightdoor and MgBot possess self-uninstalling capabilities and can delete files, making them particularly evasive. Their loader components inject themselves into svchost.exe from where they load the respective backdoors. Additionally, specific global geographic visitors to certain sites were targeted with droppers and backdoors, which included Nightdoor and MgBot. Threat intelligence researchers have been able to link two variants of the Macma backdoor to MgBot by identifying overlap with another known tool, Daggerfly. This association was made possible due to the modular architecture of MgBot, which allows it to receive modules to enhance its capabilities and spy on victims. The Evasive Panda group has been known to use watering hole and supply chain tactics, targeting several networks in East Asia with these tools. The ultimate aim of the attackers is to infect website users with MgBot and Nightdoor using malicious downloaders for macOS and Windows.

Description last updated: 2024-07-23T12:15:47.258Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
MacMa	4	Macma is a malicious software (malware) first detailed by Google's Threat Analysis Group (TAG) in 2021, although it had been in use since at least 2019. Known as OSX.MacMa or simply Macma, this malware is a backdoor designed to exploit macOS systems, and has been frequently employed by the Evasive P

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Backdoor

Apt

Windows

Evasive

Dropper

Macos

Downloader

Chinese

Eset

Tool

Symantec

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Nightdoor	Unspecified	3	Nightdoor is a complex malware attributed to the Evasive Panda APT group, a China-linked cyber-espionage team known for its diverse attack vectors and focus on surveillance of individuals and organizations in Asia and Africa. The malware was introduced by the group in 2020 and has been used alongsid

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Evasive Panda	Unspecified	5	Evasive Panda, a threat actor group also known as Bronze Highland and Daggerfly, has been identified as a significant cybersecurity threat. This group, believed to be aligned with China, has been deploying custom implants such as MgBot, Nightdoor, and a macOS downloader component, using these tools
Daggerfly	Unspecified	4	DaggerFly, also known as Evasive Panda and Bronze Highland, is a Chinese-speaking Advanced Persistent Threat (APT) group that has been active since 2012. The group is known for its cyberespionage activities targeting individuals in mainland China, Hong Kong, Macao, and Nigeria. In addition to these
Bronze Highland	Unspecified	3	Bronze Highland, also known as Evasive Panda and Daggerfly, is a Chinese-speaking advanced persistent threat (APT) group that has been active since at least 2012. The group conducts cyberespionage against individuals in mainland China, Hong Kong, Macao, and Nigeria, along with specific organizations

Source Document References

Information about the Mgbot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	a month ago	China's Evasive Panda Attacks ISP to Send Malicious Software Updates
InfoSecurity-magazine	a month ago	APT Group StormBamboo Attacks ISP Customers Via DNS Poisoning
Securityaffairs	a month ago	Chinese StormBamboo APT compromised ISP to deliver malware
Securityaffairs	a month ago	Chinese Daggerfly uses a new version of Macma macOS backdoor
DARKReading	a month ago	China's 'Evasive Panda' APT Spies on Taiwan Targets Across Platforms
InfoSecurity-magazine	a month ago	Chinese Espionage Group Upgrades Malware to Target All Major OS
BankInfoSecurity	2 months ago	Chinese Cyberespionage Group Expands Malware Arsenal
CERT-EU	6 months ago	Well-equipped, resourced Chinese-backed hacking group targeting Tibetan networks \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	6 months ago	China State-Sponsored Spies Hack Site and Target User Systems in Asia
CERT-EU	6 months ago	Cyber Briefing: 2024.03.08. 👉 What are the latest cybersecurity… \| by CyberMaterial \| Mar, 2024 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	6 months ago	China Panda APT Hacking Websites To Infect Windows And MacOS Visitors With Malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	6 months ago	Cyber Security Week in Review: March 8, 2024
InfoSecurity-magazine	6 months ago	Evasive Panda Targets Tibet With Trojanized Software
CERT-EU	6 months ago	Evasive Panda leverages Monlam Festival to target Tibetans
DARKReading	6 months ago	China-Linked Cyber Spies Blend Watering Hole, Supply Chain Attacks
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online
InfoSecurity-magazine	a year ago	Ukraine's CERT-UA Exposes Gamaredon's Rapid Data Theft Methods
CERT-EU	a year ago	Chinese APT Group Hijacks Software Updates for Malware Delivery \| IT Security News
CERT-EU	a year ago	Cyber security week in review: April 21, 2023
CERT-EU	a year ago	Chinese Cyberspies Delivered Malware via Legitimate Software Updates \| IT Security News