Chinese-speaking hackers compromised Tencent app to spy on nonprofit, report says

An alleged Chinese government-backed hacking group targeted a nonprofit organization in China with custom malware designed to spy on its victims and collect data from their devices, according to new cybersecurity research.

In its report, cybersecurity company ESET did not reveal the name of the organization. The researcher who investigated the incident, Facundo Muñoz, told The Record that it was a “high-profile international NGO” operating in two Chinese provinces.

Researchers attributed the activity to the advanced persistent threat (APT) group Evasive Panda, also known as Bronze Highland and Daggerfly. Active since at least 2012, Evasive Panda conducts espionage against individuals and government entities in mainland China, Hong Kong, Nigeria, Myanmar, the Philippines, Taiwan and Vietnam.

The campaign inside China began in 2020 and continued throughout 2021, ESET said. Evasive Panda delivered malware to victims through the QQ messaging software developed by Chinese tech giant Tencent.

The software was infected with Evasive Panda’s flagship backdoor called MgBot and was able to perform automatic updates, the report said.

The MgBot backdoor installer was detected and removed when it was downloaded on the victim's computer, according to Muñoz. “Therefore, we assess that the attempts to compromise victims were not successful,” he said.

MgBot is a Windows backdoor that has existed since at least 2012 and is used to steal files and credentials and record keystrokes. In April, Evasive Panda used the malware to target a telecom company in Africa.

The majority of MgBot’s plugins are designed to steal information from popular Chinese applications such as QQ, WeChat, QQBrowser, and Foxmail — all developed by Tencent.

Supply chain or something else?

It is currently unclear how the hackers were able to use legitimate updates to deliver the malware, the report said.

ESET is considering two scenarios: a supply chain compromise of Tencent QQ's update servers, or an adversary-in-the-middle attack, in which hackers intercept data in transit between two devices or by impersonating a legitimate website or network.

If the QQ update servers were compromised, hackers could use this access to distinguish which users would receive either the compromised or legitimate updates, according to ESET. The company has previously investigated a comparable supply-chain attack that was used in an espionage operation aimed at online gaming communities in Asia.

The adversary-in-the-middle attack would be possible if the attackers were able to compromise vulnerable devices such as routers or gateways. In 2019, ESET researchers discovered that the Chinese APT group known as BlackTech was performing this type of attack through Asus routers and delivering malware through the devices' software updates.

“With access to ISP backbone infrastructure — through legal or illegal means — Evasive Panda would be able to intercept and reply to the update requests performed via HTTP, or even modify packets on the fly,” Muñoz said.

Without further evidence, ESET cannot prove or discard one hypothesis in favor of the other.

“Many questions are left unanswered,” the researchers said. “We reached out to Tencent’s Security Response Center, but it could not confirm whether the full URL from where the malware was downloaded was legitimate.”