Mgbot

Malware updated 19 days ago (2024-11-29T14:04:41.610Z)

Download STIX

Preview STIX

MgBot is a malicious software (malware) discovered by ESET, designed to exploit and damage computer systems. It can infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it's capable of stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware's operations spanned from 2022 to 2023, during which time it demonstrated several advanced capabilities, such as self-uninstallation, file deletion, system information collection, registry modification for persistence, User Account Control (UAC) bypassing, and replacing the existing Application Management service DLL path with its own. MgBot's installer uses Windows APIs to create processes, and it operates as a Windows service. The malware's loader components inject themselves into svchost.exe, from where they load either Nightdoor or MgBot backdoors. These backdoors allow the malware to exfiltrate collected data to its Command and Control (C&C) servers via UDP communication protocol. Furthermore, MgBot has been observed exploiting session cookies stolen by its plugins to access Google Drive, Gmail, and Outlook accounts without the need for direct authentication, revealing an intricate integration with CloudScout's operations. Evasive Panda, another cyber threat actor, seamlessly integrated with MgBot, further expanding the malware's reach and effectiveness. This entity acquired servers for the C&C infrastructure of Nightdoor, MgBot, and the macOS downloader component, highlighting the broad spectrum of threats posed by this collaboration. Given the sophistication and potential harm caused by MgBot, it's crucial for organizations to implement robust cybersecurity measures to detect and mitigate such threats promptly.

Description last updated: 2024-10-29T20:13:18.313Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Nightdoor is a possible alias for Mgbot. Nightdoor is a sophisticated malware developed by the threat group Evasive Panda. This malicious software, designed to exploit and damage computer systems, was first detected in 2022 alongside MgBot, another custom implant developed by the same group. The primary function of Nightdoor is to infiltra	4
MacMa is a possible alias for Mgbot. Macma is a malware, first detailed by Google in 2021, that has been used since at least 2019. It is a modular backdoor that supports multiple functionalities such as device fingerprinting, executing commands, screen capture, keylogging, audio capture, and uploading and downloading files. Macma, ofte	4
Pocostick is a possible alias for Mgbot. Pocostick, also known as MGBot, is a type of malware that exploits and damages computer systems. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even h	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Backdoor

Apt

Evasive

Windows

Macos

Dropper

Downloader

Chinese

Eset

Tool

Symantec

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Evasive Panda Threat Actor is associated with Mgbot. Evasive Panda, also known as StormBamboo, Daggerfly, or Bronze Highland, is a threat actor group linked to China that has been operating since at least 2012. The group primarily focuses on cyber espionage against civil society targets and has demonstrated significant technical capabilities. They hav	Unspecified	5
The Daggerfly Threat Actor is associated with Mgbot. DaggerFly, also known as Evasive Panda and StormBamboo, is a Chinese-speaking Advanced Persistent Threat (APT) group that has been active since at least 2012. The group is recognized for its cyber espionage activities against individuals and organizations in mainland China, Hong Kong, Macao, Nigeria	Unspecified	4
The Bronze Highland Threat Actor is associated with Mgbot. Bronze Highland, also known as Evasive Panda and Daggerfly, is a China-linked Advanced Persistent Threat (APT) group that has been active since at least 2012. The group primarily conducts cyber espionage against individuals in mainland China, Hong Kong, Macao, and Nigeria, as well as certain organiz	Unspecified	3

Source Document References

Information about the Mgbot Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	2 months ago	China's 'Evasive Panda' APT Debuts High-End Cloud Hijacking
InfoSecurity-magazine	2 months ago	Evasive Panda’s CloudScout Toolset Targets Taiwan
ESET	2 months ago	CloudScout: Evasive Panda scouting cloud services
Securityaffairs	3 months ago	China-linked APT group Salt Typhoon compromised some US ISPs
DARKReading	4 months ago	China's Evasive Panda Attacks ISP to Send Malicious Software Updates
InfoSecurity-magazine	4 months ago	APT Group StormBamboo Attacks ISP Customers Via DNS Poisoning
Securityaffairs	4 months ago	Chinese StormBamboo APT compromised ISP to deliver malware
Securityaffairs	5 months ago	Chinese Daggerfly uses a new version of Macma macOS backdoor
DARKReading	5 months ago	China's 'Evasive Panda' APT Spies on Taiwan Targets Across Platforms
InfoSecurity-magazine	5 months ago	Chinese Espionage Group Upgrades Malware to Target All Major OS
BankInfoSecurity	5 months ago	Chinese Cyberespionage Group Expands Malware Arsenal
CERT-EU	9 months ago	Well-equipped, resourced Chinese-backed hacking group targeting Tibetan networks \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	9 months ago	China State-Sponsored Spies Hack Site and Target User Systems in Asia
CERT-EU	9 months ago	Cyber Briefing: 2024.03.08. 👉 What are the latest cybersecurity… \| by CyberMaterial \| Mar, 2024 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	China Panda APT Hacking Websites To Infect Windows And MacOS Visitors With Malware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	9 months ago	Cyber Security Week in Review: March 8, 2024
InfoSecurity-magazine	9 months ago	Evasive Panda Targets Tibet With Trojanized Software
CERT-EU	9 months ago	Evasive Panda leverages Monlam Festival to target Tibetans
DARKReading	9 months ago	China-Linked Cyber Spies Blend Watering Hole, Supply Chain Attacks
CERT-EU	a year ago	My Tea's not cold : an overview of China's cyber threat – Global Security Mag Online