Full Report
Kaspersky GReAT experts analyze the Evasive Panda APT's infection chain, including shellcode encrypted with DPAPI and RC5, as well as the MgBot implant.
Analysis Summary
# Threat Actor: Evasive Panda
## Attribution & Identity
The threat actor is identified as **Evasive Panda APT**, analyzed by Kaspersky GReAT experts. The context does not provide any known alternative aliases or direct attribution to a specific nation-state, only the group name itself.
## Activity Summary
The analyzed activity centers on the infection chain utilized by Evasive Panda, detailing the deployment and execution methods used to establish persistence and compromise targets.
## Tactics, Techniques & Procedures
- Infection chain involves **shellcode encrypted with DPAPI and RC5**.
- Utilization of the **MgBot implant** for maintaining access post-compromise.
## Targeting
- **Sectors:** Not explicitly detailed in the provided context, but APTs often target sensitive sectors.
- **Geography:** Not explicitly detailed in the provided context.
- **Victims:** Not explicitly detailed in the provided context.
## Tools & Infrastructure
- **Malware families used:** **MgBot implant**.
- **Infrastructure:** The context mentions encryption methods (DPAPI, RC5) related to payload delivery/execution but does not list specific C2 domains or IPs.
## Implications
Evasive Panda employs advanced techniques for hiding malicious code execution, specifically leveraging built-in Windows encryption (DPAPI) alongside custom encryption (RC5) for its shellcode, indicating a focus on evading traditional signature-based detection during the initial stages of compromise. The use of the MgBot implant suggests established operational security for long-term espionage or data exfiltration.
## Mitigations
- Focus on **defense against sophisticated shellcode decryption/execution techniques**, particularly those that leverage standard OS functions like DPAPI.
- Implement robust endpoint detection and response (EDR) capabilities capable of monitoring API calls associated with memory execution and process injection stemming from decrypted payloads.
- Thoroughly monitor for indicators related to the **MgBot implant** family.